GHSA-XW4P-PW82-HQR7

Vulnerability from github – Published: 2026-03-02 22:51 – Updated: 2026-03-06 01:05
VLAI?
Summary
OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace
Details

Overview

In affected versions, OpenClaw’s sandbox skill mirroring used the skill’s frontmatter name as part of the destination path when copying skills into the sandbox workspace. A crafted skill name containing traversal segments (for example ../) or an absolute path could cause the copy to write outside <sandbox_workspace>/skills/.

Impact

  • Files may be written outside the sandbox workspace root (within the permissions of the user running OpenClaw).

Attack Requirements

  • Attacker can provide a skill package (controls SKILL.md frontmatter).
  • Victim runs with sandbox enabled and skill mirroring into the sandbox workspace.

Affected Packages / Versions

  • openclaw (npm): < 2026.2.14

Fixed In

  • openclaw (npm): >= 2026.2.14

Fix Commit(s)

  • 3eb6a31b6fcf8268456988bfa8e3637d373438c2

OpenClaw thanks @1seal for reporting.

Severity ?
7.1 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L
5.7 (Medium)
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T22:51:51Z",
    "nvd_published_at": "2026-03-05T22:16:18Z",
    "severity": "MODERATE"
  },
  "details": "## Overview\n\nIn affected versions, OpenClaw\u2019s sandbox skill mirroring used the skill\u2019s frontmatter `name` as part of the destination path when copying skills into the sandbox workspace. A crafted skill name containing traversal segments (for example `../`) or an absolute path could cause the copy to write outside `\u003csandbox_workspace\u003e/skills/`.\n\n## Impact\n\n- Files may be written outside the sandbox workspace root (within the permissions of the user running OpenClaw).\n\n## Attack Requirements\n\n- Attacker can provide a skill package (controls `SKILL.md` frontmatter).\n- Victim runs with sandbox enabled and skill mirroring into the sandbox workspace.\n\n## Affected Packages / Versions\n\n- `openclaw` (npm): `\u003c 2026.2.14`\n\n## Fixed In\n\n- `openclaw` (npm): `\u003e= 2026.2.14`\n\n## Fix Commit(s)\n\n- 3eb6a31b6fcf8268456988bfa8e3637d373438c2\n\nOpenClaw thanks @1seal for reporting.",
  "id": "GHSA-xw4p-pw82-hqr7",
  "modified": "2026-03-06T01:05:34Z",
  "published": "2026-03-02T22:51:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28457"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/3eb6a31b6fcf8268456988bfa8e3637d373438c2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-sandbox-skill-mirroring-via-name-parameter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.