OpenClaw, Path Traversal, CVE-2026-XXXX (Critical)

Listen to this Post

How CVE-2026-XXXX Works:

OpenClaw versions up to 2026.2.9 contain a path traversal vulnerability in transcript file handling. The gateway constructs file paths for transcripts using an unsanitized `sessionId` parameter. It also accepts `sessionFile` paths without validating that they stay within the designated agent sessions directory. An attacker authenticated to the gateway can craft a malicious `sessionId` or `sessionFile` containing path traversal sequences (e.g., ../../etc/passwd). This manipulation occurs during read/write operations for transcript files, allowing arbitrary file access on the host system. By default, the gateway binds to loopback, limiting exploitation to local users. However, if the gateway is exposed to a network, remote attackers who can authenticate can leverage this flaw. The vulnerability enables reading sensitive files, overwriting critical data, or potentially escalating privileges. The root cause is insufficient input validation and missing directory containment checks. The issue is fixed in OpenClaw version 2026.2.12 by sanitizing session IDs and enforcing strict file path controls. This is a critical vulnerability due to its potential for severe impact.

dailycve form:

Platform: OpenClaw (npm)
Version: <= 2026.2.9
Vulnerability: Path Traversal
Severity: Critical
date: 2026-02-18

Prediction: Patched in 2026.2.12

What Undercode Say:

Analytics:

  • Check installed version: `npm list openclaw`
    – Upgrade to patched version: `npm install [email protected]`
    – Simulate vulnerable request (local): `curl -X POST http://localhost:8080/transcript –data “sessionId=../../etc/passwd” -H “Authorization: Bearer “`
    – Verify fix commit: `git show 4199f9889f0c307b77096a229b9e085b8d856c26`

How Exploit:

  • Authenticate to the gateway using a valid token/password.
  • Send a request with `sessionId` set to `../../etc/passwd` during transcript read.
  • Alternatively, provide `sessionFile` with traversal sequences to write arbitrary files.
  • Exploit requires local access unless gateway is exposed.

Protection from this CVE:

  • Upgrade to OpenClaw >= 2026.2.12 immediately.
  • Restrict gateway to loopback binding (default configuration).
  • Implement input validation for session IDs and enforce directory containment.
  • Monitor logs for suspicious file access patterns.

Impact:

  • Unauthorized file read leading to data exposure (e.g., /etc/passwd).
  • Arbitrary file write potentially causing system compromise or DoS.
  • Increased attack surface if gateway is exposed to networks.
  • Privilege escalation if sensitive files are overwritten.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top