CVE-2026-28457 Overview
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability (CWE-22) in the sandbox skill mirroring feature. When skill mirroring is enabled, the application uses the skill frontmatter name parameter without proper sanitization when copying skills into the sandbox workspace. This allows attackers who provide a crafted skill package containing traversal sequences like ../ or absolute paths in the name field to write files outside the intended sandbox workspace root directory.
Critical Impact
Attackers can escape the sandbox workspace and write arbitrary files to the filesystem, potentially overwriting critical application files or system configurations.
Affected Products
- OpenClaw versions prior to 2026.2.14
- Installations with sandbox skill mirroring enabled
Discovery Timeline
- 2026-03-05 - CVE-2026-28457 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28457
Vulnerability Analysis
This path traversal vulnerability exists in the sandbox skill mirroring functionality of OpenClaw. The vulnerability stems from improper handling of user-controlled input in the skill frontmatter name parameter during the skill synchronization process. When a skill package is mirrored into the sandbox workspace, the application constructs the destination file path by directly concatenating the workspace root with the skill name without validating that the resulting path remains within the sandbox boundaries.
The vulnerability requires user interaction as it necessitates the victim to import or mirror a maliciously crafted skill package. The attack is local in nature and requires the sandbox skill mirroring feature to be explicitly enabled.
Root Cause
The root cause is insufficient input validation in the skill workspace handling code (src/agents/skills/workspace.ts). The application fails to sanitize or validate the skill name parameter from the skill frontmatter before using it to construct filesystem paths. This allows directory traversal sequences to escape the intended sandbox workspace directory.
Attack Vector
The attack vector requires local access and user interaction. An attacker must:
- Create a malicious skill package with a crafted name field containing path traversal sequences (e.g., ../../etc/config)
- Distribute the malicious skill package to a target user
- The victim must have sandbox skill mirroring enabled and import/sync the malicious skill
- Upon mirroring, files are written outside the sandbox workspace to attacker-controlled locations
The following patch addresses the vulnerability by implementing proper path confinement:
} from "./types.js";
import { createSubsystemLogger } from "../../logging/subsystem.js";
import { CONFIG_DIR, resolveUserPath } from "../../utils.js";
+import { resolveSandboxPath } from "../sandbox-paths.js";
import { resolveBundledSkillsDir } from "./bundled-dir.js";
import { shouldIncludeSkill } from "./config.js";
import {
Source: GitHub Commit Changes
Detection Methods for CVE-2026-28457
Indicators of Compromise
- Unexpected files appearing outside the OpenClaw sandbox workspace directory
- Skill packages with suspicious name fields containing ../ sequences or absolute paths
- File system modifications in directories adjacent to or outside the workspace root
- Application logs showing skill sync operations with unusual path patterns
Detection Strategies
- Monitor file system operations for write attempts outside the designated sandbox workspace directories
- Implement file integrity monitoring (FIM) on critical system directories and application configuration files
- Review imported skill packages for path traversal sequences in frontmatter fields
- Audit OpenClaw application logs for skill mirroring activities with anomalous path patterns
Monitoring Recommendations
- Enable detailed logging for the sandbox skill mirroring feature to capture all file operations
- Configure alerts for file creation events in parent directories of the sandbox workspace
- Implement real-time monitoring of skill import operations and validate path structures
- Use SentinelOne's behavioral AI to detect anomalous file write patterns indicative of path traversal exploitation
How to Mitigate CVE-2026-28457
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- If unable to upgrade, disable the sandbox skill mirroring feature until the patch can be applied
- Audit recently imported skill packages for malicious path traversal sequences in the name field
- Review file system for unexpected files that may have been written outside the sandbox workspace
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.14. The fix introduces the resolveSandboxPath function from the sandbox-paths.js module to properly confine all skill sync destination paths within the sandbox workspace boundaries.
For detailed patch information, refer to the GitHub Commit Changes and the GitHub Security Advisory.
Workarounds
- Disable sandbox skill mirroring in OpenClaw configuration until the patch is applied
- Only import skill packages from trusted, verified sources
- Implement network-level controls to prevent downloading skill packages from untrusted repositories
- Use application sandboxing or containerization to limit the impact of potential path traversal exploitation
# Disable sandbox skill mirroring in OpenClaw configuration
# Edit your OpenClaw configuration file (e.g., config.yaml)
sandbox:
skill_mirroring:
enabled: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
