CVE-2026-28457

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The software contains a path traversal issue in sandbox skill mirroring when the skill frontmatter name parameter is used without proper sanitization during skill copying into the sandbox workspace. An attacker can provide a specially crafted skill package with traversal sequences, such as '../' or absolute paths, within the name field to write files outside the designated sandbox workspace root directory. This could allow writing files within the permissions of the user running OpenClaw. The issue requires the attacker to provide a skill package and the victim to have sandbox mode enabled with skill mirroring active.

Recommendations Update to version 2026.2.14 or later.