TROYANOSYVIRUS
Volver a CVEs

CVE-2026-28486

MEDIUM
6.1

Descripcion

OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.

Detalles CVE

Puntuacion CVSS v3.16.1
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Vector de ataqueLOCAL
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado3/5/2026
Ultima modificacion3/11/2026
Fuentenvd
Avistamientos honeypot0

Productos afectados

openclaw:openclaw

Debilidades (CWE)

CWE-22

Referencias

https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/openclaw-path-traversal-zip-slip-in-archive-extraction-via-installation-commands(disclosure@vulncheck.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.