CVE-2026-28457

Опубликовано: 05 мар. 2026

Источник: nvd

CVSS3: 6.1

CVSS3: 7.9

EPSS Низкий

Описание

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory.

Ссылки

https://github.com/openclaw/openclaw/commit/3eb6a31b6fcf8268456988bfa8e3637d373438c2
Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7
Vendor Advisory
Patch
https://www.vulncheck.com/advisories/openclaw-path-traversal-in-sandbox-skill-mirroring-via-name-parameter
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Версия до 2026.2.14 (исключая)

EPSS

Процентиль: 8%

0.00027

Низкий

6.1 Medium

CVSS3

7.9 High

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-xw4p-pw82-hqr7

CVSS3: 7.1

github

29 дней назад

OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace

EPSS

Процентиль: 8%

0.00027

Низкий

6.1 Medium

CVSS3

7.9 High

CVSS3

Дефекты

CWE-22