Description
OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token. Version 2026.2.13 fixes the issue.
Published: 2026-02-19
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal
Action: Immediate Patch
AI Analysis

Impact

OpenClaw’s browser download helpers accept an unsanitized output path, allowing a user with authenticated CLI access or an authenticated gateway RPC token to perform path traversal and write files outside the intended temporary downloads directory. The flaw can be used to place files at arbitrary locations within the host file system when the download feature is invoked through the browser control gateway routes, potentially disrupting the normal operation of the application.

Affected Systems

This vulnerability affects OpenClaw personal AI assistant versions 2026.1.12 through 2026.2.12, which are built on Node.js. The issue exists on any operating system where the application is installed. Version 2026.2.13 removes the flaw.

Risk and Exploitability

The CVSS score of 6.7 indicates medium severity, and the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread. The flaw is not listed in the CISA KEV catalog. Attackers need authenticated access via the CLI or a gateway RPC token, which limits the attack surface to compromised accounts. Once authentication is achieved, the path traversal can be leveraged to write arbitrary files, presenting a medium risk to the confidentiality and integrity of the affected system.

Generated by OpenCVE AI on April 18, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw v2026.2.13 or later, where the path traversal issue is fixed.
  • Restrict CLI and gateway RPC token usage to the least privilege required for normal operation, and monitor for unauthorized token use.
  • If the browser download helper is not required, disable it or constrain its usage to a monitored environment to reduce exposure.

Generated by OpenCVE AI on April 18, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xwjm-j929-xq7c OpenClaw has a Path Traversal in Browser Download Functionality
History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token. Version 2026.2.13 fixes the issue.
Title OpenClaw has a Path Traversal in Browser Download Functionality
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:38:25.996Z

Reserved: 2026-02-16T22:20:28.612Z

Link: CVE-2026-26972

cve-icon Vulnrichment

Updated: 2026-02-20T15:29:38.156Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T00:16:16.500

Modified: 2026-02-20T19:03:33.710

Link: CVE-2026-26972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses