CVE-2026-28447 Overview
CVE-2026-28447 is a path traversal vulnerability affecting OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1. The vulnerability exists in the plugin installation functionality, where malicious plugin package names can escape the intended extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims execute the plugins install command.
Critical Impact
Attackers can write arbitrary files outside the extensions directory by exploiting malicious package names during plugin installation, potentially leading to code execution or system compromise.
Affected Products
- OpenClaw versions 2026.1.29-beta.1 through versions prior to 2026.2.1
Discovery Timeline
- 2026-03-05 - CVE-2026-28447 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28447
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from insufficient validation of plugin package names during the installation process. When a user runs the plugins install command, OpenClaw processes the package name without properly sanitizing path traversal sequences. This allows attackers to include directory traversal characters (..) within scoped package names, enabling file writes to arbitrary locations on the filesystem outside the designated extensions directory.
The vulnerability requires user interaction—specifically, a victim must execute the install command with a malicious package name. However, once triggered, the impact is severe as attackers can write to sensitive directories, potentially overwriting critical system files or deploying malicious payloads.
Root Cause
The root cause lies in the plugin and hook installation path handling within OpenClaw's agent system. The application failed to properly validate and sanitize the destination paths derived from package names before writing files to disk. The fix involved hardening these installation paths to prevent directory escape attempts.
Attack Vector
The attack requires network access and user interaction. An attacker would distribute a maliciously crafted plugin package with a scoped name containing path traversal sequences. When an unsuspecting user attempts to install this plugin using OpenClaw's installation command, the path traversal sequences allow the attacker to write files outside the intended extensions directory to arbitrary filesystem locations.
The security patch addressed the vulnerable path handling in the embedded runner components:
sessionManager,
settingsManager,
});
- applySystemPromptOverrideToSession(session, systemPromptOverride);
+ applySystemPromptOverrideToSession(session, systemPromptOverride());
try {
const prior = await sanitizeSessionHistory({
Source: GitHub Commit Update
tools,
});
const systemPromptOverride = createSystemPromptOverride(appendPrompt);
- const systemPromptText = systemPromptOverride;
+ const systemPromptText = systemPromptOverride();
const sessionLock = await acquireSessionWriteLock({
sessionFile: params.sessionFile,
Source: GitHub Commit Update
Detection Methods for CVE-2026-28447
Indicators of Compromise
- Unexpected files created outside the OpenClaw extensions directory following plugin installations
- Plugin package names containing .. or other path traversal sequences in installation logs
- File write operations to system directories originating from OpenClaw processes
- Suspicious plugin installation activity with unusually long or malformed package names
Detection Strategies
- Monitor filesystem activity for writes outside the extensions directory during OpenClaw plugin operations
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Audit OpenClaw installation logs for package names containing suspicious path traversal patterns
- Deploy endpoint detection rules that alert on path traversal attempts in application contexts
Monitoring Recommendations
- Enable verbose logging for OpenClaw plugin installation operations to capture package name details
- Configure SentinelOne behavioral AI to detect anomalous file write patterns from OpenClaw processes
- Set up alerts for any file operations outside expected plugin installation directories
- Review installed plugins periodically to identify potentially malicious or unexpected packages
How to Mitigate CVE-2026-28447
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.1 or later immediately
- Audit recently installed plugins for any suspicious or unexpected file writes
- Review filesystem for unauthorized files that may have been written during previous plugin installations
- Restrict plugin installation privileges to trusted administrators only
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.1. The fix hardens the plugin and hook installation paths to prevent path traversal attacks. The security patch is available in commit d03eca8450dc493b198a88b105fd180895238e57. For detailed information, refer to the GitHub Security Advisory GHSA-qrq5-wjgg-rvqw.
Workarounds
- Avoid installing plugins from untrusted or unverified sources until the patch is applied
- Implement filesystem-level restrictions to prevent writes outside the extensions directory
- Use application sandboxing to limit OpenClaw's filesystem access scope
- Monitor and block plugin installation commands in production environments until upgrade is complete
# Verify OpenClaw version and upgrade if vulnerable
openclaw --version
# If version is between 2026.1.29-beta.1 and 2026.2.1, upgrade immediately
npm update @openclaw/cli@2026.2.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
