AI Threat Alert AI Threat Alert

CVE-2026-26972: OpenClaw: path traversal allows arbitrary file write

MEDIUM
Published February 20, 2026
CISO Take

OpenClaw's browser download helpers accept unsanitized output paths via the browser control gateway routes, allowing an authenticated attacker to write files anywhere on the filesystem rather than the intended temp directory. Despite the medium CVSS score (6.7), the confidentiality, integrity, and availability impact are all rated High — meaning a compromised authenticated session can yield a full filesystem write primitive, enabling persistence, config tampering, or staged code execution. OpenClaw already carries 11 other CVEs in this same package, and a related incident (AIID #1368) documented malicious OpenClaw skills actively delivering credential stealers in early 2026, raising the stakes for any authenticated foothold in this environment. Upgrade to version 2026.2.13 immediately; if patching must be delayed, rotate RPC gateway tokens and restrict CLI access to the minimum necessary users.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

The local attack vector and high-privilege requirement limit opportunistic exploitation — this is not remotely triggerable without credentials. However, in enterprise or team deployments where RPC gateway tokens are shared across automation pipelines or CI processes, the effective attack surface expands considerably. The High C/I/A impact scores signal that post-exploitation impact is disproportionate to the CVSS base score, particularly in environments where OpenClaw runs with broad filesystem permissions as a local AI assistant. The package's history of 11 CVEs indicates ongoing security debt and warrants closer scrutiny of the overall OpenClaw deployment posture.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw pip No patch

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
6.7 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

  1. Upgrade OpenClaw to version 2026.2.13 (patched). Verify the fix via the commit at github.com/openclaw/openclaw/commit/7f0489e4.
  2. If immediate patching is blocked, revoke and rotate all authenticated RPC gateway tokens; restrict CLI access to only named, necessary users.
  3. Audit OpenClaw temp download directory and parent directories for unexpected files or modified configs written outside the temp path.
  4. Deploy endpoint detection rules for filesystem writes originating from the OpenClaw process to paths outside its designated temp directory.
  5. Review RPC gateway network exposure — if reachable beyond localhost, add firewall restrictions immediately.

Classification

Code Execution Data Leakage Agent Plugin AML.T0012 AML.T0053 AML.T0081

Compliance Impact

This CVE is relevant to:

ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
MANAGE 2.2 - Risk treatments are tracked and documented
OWASP LLM Top 10
LLM05 - Improper Output Handling LLM06 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub
Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents malicious OpenClaw skills delivering AMOS credential stealers via the ClawHub ecosystem. This CVE's path traversal primitive operates on the same product's authenticated tool surface and could enable similar credential exfiltration by writing to sensitive filesystem locations, or provide persistence for malicious skills to survive agent restarts.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token. Version 2026.2.13 fixes the issue.

Exploitation Scenario

An attacker who has obtained a valid RPC gateway token — through credential theft from a developer workstation, a leaked CI/CD secret, or the malicious OpenClaw skill ecosystem documented in AIID #1368 — sends a crafted gateway request invoking the browser download helper with a path such as '../../~/.config/openclaw/agent.conf' or '../../etc/cron.d/persistence'. Because the path is passed unsanitized, OpenClaw writes attacker-controlled content to the targeted location. In an AI agent deployment context, overwriting the agent configuration file would allow the adversary to redirect tool invocations, inject malicious system prompts, or disable safety controls — effectively taking over the agent's behavior for future sessions without triggering re-authentication.

Weaknesses (CWE)

CWE-22 Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 20, 2026
Last Modified
February 20, 2026
First Seen
February 20, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed