← Back to CVEs
CVE-2026-28447
HIGH8.1
Description
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims run the plugins install command.
CVE Details
CVSS v3.1 Score8.1
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionREQUIRED
Published3/5/2026
Last Modified3/10/2026
Sourcenvd
Honeypot Sightings0
Affected Products
openclaw:openclaw
Weaknesses (CWE)
CWE-22
References
https://github.com/openclaw/openclaw/commit/d03eca8450dc493b198a88b105fd180895238e57(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/security/advisories/GHSA-qrq5-wjgg-rvqw(disclosure@vulncheck.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.