GHSA-XWJM-J929-XQ7C

Vulnerability from github – Published: 2026-02-18 17:37 – Updated: 2026-02-20 16:46
VLAI?
Summary
OpenClaw has a Path Traversal in Browser Download Functionality
Details

Summary

OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory.

This issue is not exposed via the AI agent tool schema (no download action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: >=2026.1.12, <=2026.2.12
  • Fixed: >=2026.2.13

Details

Affected code: src/browser/pw-tools-core.downloads.ts (waitForDownloadViaPlaywright, downloadViaPlaywright).

Fixed entrypoints (as of 2026.2.13): - Gateway browser control routes /wait/download and /download now restrict path to DEFAULT_DOWNLOAD_DIR via resolvePathWithinRoot.

Fix Commit(s)

  • 7f0489e4731c8d965d78d6eac4a60312e46a9426

Mitigation

Upgrade to openclaw >=2026.2.13.

Thanks @locus-x64 for reporting.

Severity ?
6.7 (Medium)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.1.12"
            },
            {
              "fixed": "2026.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T17:37:52Z",
    "nvd_published_at": "2026-02-20T00:16:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nOpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory.\n\nThis issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: \u003e=2026.1.12, \u003c=2026.2.12\n- Fixed: \u003e=2026.2.13\n\n### Details\n\nAffected code: `src/browser/pw-tools-core.downloads.ts` (`waitForDownloadViaPlaywright`, `downloadViaPlaywright`).\n\nFixed entrypoints (as of 2026.2.13):\n- Gateway browser control routes `/wait/download` and `/download` now restrict `path` to `DEFAULT_DOWNLOAD_DIR` via `resolvePathWithinRoot`.\n\n### Fix Commit(s)\n\n- 7f0489e4731c8d965d78d6eac4a60312e46a9426\n\n### Mitigation\n\nUpgrade to `openclaw` \u003e=2026.2.13.\n\nThanks @locus-x64 for reporting.",
  "id": "GHSA-xwjm-j929-xq7c",
  "modified": "2026-02-20T16:46:20Z",
  "published": "2026-02-18T17:37:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xwjm-j929-xq7c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26972"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw has a Path Traversal in Browser Download Functionality"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.