CVE-2026-28462

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.13

Description The browser control API in OpenClaw accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in the following API endpoints to write files outside intended temp roots: /trace/stop, /wait/download, and /download. The POST method is used for these endpoints. The vulnerable parameters or variables are not explicitly mentioned.

Recommendations Upgrade to version 2026.2.13 or later.