What is the CVSS score of CVE-2026-28447?

CVE-2026-28447 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Openclaw are affected by CVE-2026-28447?

OpenClaw plugin installation contains a path traversal vulnerability that could allow attackers to write malicious files outside the intended directory, potentially compromising system integrity and…. A patch is available.

Openclaw CVE-2026-28447

HIGH

Path Traversal (CWE-22)

2026-03-05 disclosure@vulncheck.com

GHSA-qrq5-wjgg-rvqw

Path Traversal Openclaw

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

Patch released

Mar 10, 2026 - 19:43 nvd

Patch available

CVE Published

Mar 05, 2026 - 22:16 nvd

HIGH 8.1

DescriptionNVD

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims run the plugins install command.

AnalysisAI

OpenClaw 2026.1.29-beta.1 through 2026.2.0 is vulnerable to path traversal during plugin installation, enabling attackers to write arbitrary files outside the intended extensions directory by crafting malicious package names with traversal sequences. An unauthenticated attacker can exploit this when users execute the plugin install command, potentially achieving arbitrary file write capabilities on the affected system. …

RemediationAI

Within 24 hours: Inventory all systems running OpenClaw and identify affected versions. Within 7 days: Apply vendor patch to upgrade to version 2026.2.1 or later across all production and non-production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28447 vulnerability details – vuln.today

Back