CVE-2026-28482: OpenClaw's unsanitized session ID enables path traversal in transcript file operations
(updated )
OpenClaw versions <= 2026.2.9 construct transcript file paths using an unsanitized sessionId and also accept sessionFile paths without enforcing that they stay within the agent sessions directory.
A crafted sessionId and/or sessionFile (example: ../../etc/passwd) can cause path traversal when the gateway performs transcript file read/write operations.
Preconditions: an attacker must be able to authenticate to the gateway (gateway token/password). By default the gateway binds to loopback (local-only); configurations that expose the gateway widen the attack surface.
References
- github.com/advisories/GHSA-5xfq-5mr7-426q
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26
- github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64
- github.com/openclaw/openclaw/releases/tag/v2026.2.12
- github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q
- nvd.nist.gov/vuln/detail/CVE-2026-28482
- www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parameters
Code Behaviors & Features
Detect and mitigate CVE-2026-28482 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →