PT-2026-22493 · Npm · Openclaw
Publicado
2026-02-18
·
Atualizado
2026-02-18
CVSS v4.0
8.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
OpenClaw’s browser control API accepted user-supplied output paths for trace/download files without consistently
constraining writes to OpenClaw-managed temporary directories.
Impact
If an attacker can access the browser control API, they could attempt to write trace/download output files outside
intended temp roots, depending on process filesystem permissions.
Affected versions
openclaw < 2026.2.13Fixed versions
openclaw >= 2026.2.13Remediation
Upgrade to
2026.2.13 or later.What changed
The fix constrains output paths for:
POST /trace/stopPOST /wait/downloadPOST /download
All three now enforce OpenClaw temp-root boundaries and reject traversal/escape paths.
Credits
Thanks to Adnan Jakati (@jackhax) of Praetorian for responsible disclosure.
Fix shipped in PR #15652 and merged to
main on February 13, 2026 (7f0489e4731c8d965d78d6eac4a60312e46a9426).Fix commit 7f0489e4731c8d965d78d6eac4a60312e46a9426 confirmed on main and in v2026.2.14. Upgrade to
openclaw >= 2026.2.13.Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw