CVE-2026-28447
HIGH
GHSA-qrq5-wjgg-rvqw
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
3Tags
Description
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims run the plugins install command.
Analysis
OpenClaw 2026.1.29-beta.1 through 2026.2.0 is vulnerable to path traversal during plugin installation, enabling attackers to write arbitrary files outside the intended extensions directory by crafting malicious package names with traversal sequences. An unauthenticated attacker can exploit this when users execute the plugin install command, potentially achieving arbitrary file write capabilities on the affected system. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running OpenClaw and identify affected versions. Within 7 days: Apply vendor patch to upgrade to version 2026.2.1 or later across all production and non-production environments. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today