Vulnerability Description
OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | >= 2026.1.20, < 2026.2.14 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0daPatch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqpVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-path-traversal-zip-slip-in-archiveThird Party Advisory
FAQ
What is CVE-2026-28486?
CVE-2026-28486 is a vulnerability with a CVSS score of 6.1 (MEDIUM). OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended direct...
How severe is CVE-2026-28486?
CVE-2026-28486 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28486?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.