CVE-2026-28447
MEDIUM WAF: High
CVSS 6.5
Published: 2026-03-05
CWE-22
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims run the plugins install command.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | 2026.1.29 - 2026.2.1 |
References
- github.com (Patch)
- github.com (Vendor Advisory)
- www.vulncheck.com (Broken Link)