Openclaw · Openclaw · CVE-2026-28459
**Name of the Vulnerable Software and Affected Versions**
OpenClaw versions prior to 2026.2.12
**Description**
OpenClaw versions prior to 2026.2.12 do not properly validate the `sessionFile` path parameter, potentially allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. An attacker can supply a `sessionFile` path outside the sessions directory to create files and repeatedly append data, which could lead to configuration corruption or denial of service. The issue involves the gateway accepting an untrusted `sessionFile` path when resolving the session transcript file.
**Recommendations**
Update OpenClaw to version 2026.2.12 or later.