CVE-2026-26972 Overview
CVE-2026-26972 is a path traversal vulnerability affecting OpenClaw, a personal AI assistant application built on Node.js. The vulnerability exists in OpenClaw's browser download helpers, which accepted unsanitized output paths. When invoked via the browser control gateway routes, this flaw allowed attackers to write downloaded files outside the intended OpenClaw temporary downloads directory through path traversal techniques.
Importantly, this vulnerability is not exposed via the AI agent tool schema (there is no download action available through that interface). Exploitation requires authenticated CLI access or an authenticated gateway RPC token, limiting the attack surface to authenticated users with specific access privileges.
Critical Impact
Authenticated attackers with CLI access or gateway RPC tokens can write arbitrary files to locations outside the designated temp directory, potentially overwriting critical system files or placing malicious content in sensitive locations.
Affected Products
- OpenClaw versions 2026.1.12 through 2026.2.12 (Node.js)
- OpenClaw browser control gateway routes
- OpenClaw CLI with authenticated access
Discovery Timeline
- 2026-02-20 - CVE-2026-26972 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26972
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from insufficient input validation in OpenClaw's browser download helper functions. The affected code paths exist within the browser control gateway routes, specifically in the agent action and debug route handlers. When processing download requests, the application failed to properly constrain output file paths to the designated OpenClaw temporary directory.
The vulnerability requires local access with high privileges to exploit. An attacker must possess either authenticated CLI access or a valid gateway RPC token. Once authenticated, the attacker can craft malicious download requests with path traversal sequences (e.g., ../) to write files to arbitrary locations on the filesystem. This could result in high impact to confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of CVE-2026-26972 lies in the lack of path sanitization when resolving output file destinations for browser downloads. The original implementation in src/browser/routes/agent.act.ts and src/browser/routes/agent.debug.ts directly accepted user-controlled path inputs without validating that the resolved path remained within the expected OpenClaw temporary directory boundaries.
Attack Vector
The attack requires local access and high privileges. An authenticated attacker with CLI access or a valid gateway RPC token can exploit this vulnerability by:
- Authenticating to the OpenClaw gateway or CLI
- Invoking browser download helper functions through gateway RPC calls
- Supplying a malicious output path containing traversal sequences (e.g., ../../etc/cron.d/malicious)
- The download is written outside the intended temp directory to the attacker-specified location
The security patch introduces the resolvePathWithinRoot function to constrain all output paths:
// Security fix in src/browser/routes/agent.act.ts
resolveProfileContext,
SELECTOR_UNSUPPORTED_MESSAGE,
} from "./agent.shared.js";
+import { DEFAULT_DOWNLOAD_DIR, resolvePathWithinRoot } from "./path-output.js";
import { jsonError, toBoolean, toNumber, toStringArray, toStringOrEmpty } from "./utils.js";
export function registerBrowserAgentActRoutes(
Source: GitHub Commit 7f0489e
// Security fix in src/browser/routes/agent.debug.ts
import path from "node:path";
import type { BrowserRouteContext } from "../server-context.js";
import type { BrowserRouteRegistrar } from "./types.js";
-import { resolvePreferredOpenClawTmpDir } from "../../infra/tmp-openclaw-dir.js";
import { handleRouteError, readBody, requirePwAi, resolveProfileContext } from "./agent.shared.js";
+import { DEFAULT_TRACE_DIR, resolvePathWithinRoot } from "./path-output.js";
import { toBoolean, toStringOrEmpty } from "./utils.js";
-const DEFAULT_TRACE_DIR = resolvePreferredOpenClawTmpDir();
-
export function registerBrowserAgentDebugRoutes(
app: BrowserRouteRegistrar,
ctx: BrowserRouteContext,
Source: GitHub Commit 7f0489e
Detection Methods for CVE-2026-26972
Indicators of Compromise
- Unexpected file writes outside the OpenClaw temp directory (typically under the user's .openclaw/tmp/ path)
- Gateway RPC logs showing download requests with path traversal patterns such as ../ or absolute paths
- New or modified files in sensitive system directories that correspond to download timestamps
- Anomalous CLI authentication patterns followed by download operations
Detection Strategies
- Monitor filesystem operations originating from the OpenClaw process for writes outside expected directories
- Implement log analysis rules to detect path traversal sequences in gateway RPC download parameters
- Use file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
- Review gateway authentication logs for unusual access patterns or token usage
Monitoring Recommendations
- Enable verbose logging for OpenClaw gateway RPC operations to capture full request parameters
- Configure endpoint detection solutions to alert on path traversal patterns in process arguments
- Implement real-time file system auditing for the OpenClaw process with alerts on out-of-directory writes
- Monitor for new files appearing in system-critical paths that coincide with OpenClaw process activity
How to Mitigate CVE-2026-26972
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.13 or later immediately
- Audit gateway RPC tokens and revoke any unnecessary or compromised credentials
- Review system file integrity for signs of unauthorized writes from OpenClaw
- Restrict CLI and gateway RPC access to only trusted users who require it
Patch Information
The vulnerability has been fixed in OpenClaw version 2026.2.13. The patch introduces the resolvePathWithinRoot function in a new path-output.js module, which validates that all download and trace output paths are constrained within the designated OpenClaw temporary directory root.
For detailed patch information, see the GitHub Security Advisory GHSA-xwjm-j929-xq7c and the security commit 7f0489e.
Workarounds
- Disable or restrict access to browser control gateway routes until patching is complete
- Implement network segmentation to limit gateway RPC access to trusted hosts only
- Use application-level firewalls or reverse proxies to filter requests containing path traversal patterns
- Rotate all gateway RPC tokens after upgrading to ensure compromised tokens cannot be reused
# Upgrade OpenClaw to the patched version
npm update openclaw@2026.2.13
# Verify the installed version
npm list openclaw
# Review gateway authentication tokens (revoke and regenerate if necessary)
openclaw config list-tokens
openclaw config revoke-token <token-id>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
