Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.7
OpenClaw Browser Download Function Allows Uncontrolled File Placement
CVE-2026-26972
GHSA-xwjm-j929-xq7c
Summary
A security issue in OpenClaw's browser download feature allows an attacker with authenticated access to write files outside the intended download directory. This could lead to data loss or system compromise if left unaddressed. To fix this, update to OpenClaw version 2026.2.13 or later.
What to do
- Update steipete openclaw to version 2026.2.13.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | > 2026.1.12 , <= 2026.2.12 | 2026.2.13 |
| openclaw | openclaw | > 2026.1.12 , <= 2026.2.13 | – |
Original title
OpenClaw has a Path Traversal in Browser Download Functionality
Original description
### Summary
OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory.
This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: >=2026.1.12, <=2026.2.12
- Fixed: >=2026.2.13
### Details
Affected code: `src/browser/pw-tools-core.downloads.ts` (`waitForDownloadViaPlaywright`, `downloadViaPlaywright`).
Fixed entrypoints (as of 2026.2.13):
- Gateway browser control routes `/wait/download` and `/download` now restrict `path` to `DEFAULT_DOWNLOAD_DIR` via `resolvePathWithinRoot`.
### Fix Commit(s)
- 7f0489e4731c8d965d78d6eac4a60312e46a9426
### Mitigation
Upgrade to `openclaw` >=2026.2.13.
Thanks @locus-x64 for reporting.
OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory.
This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: >=2026.1.12, <=2026.2.12
- Fixed: >=2026.2.13
### Details
Affected code: `src/browser/pw-tools-core.downloads.ts` (`waitForDownloadViaPlaywright`, `downloadViaPlaywright`).
Fixed entrypoints (as of 2026.2.13):
- Gateway browser control routes `/wait/download` and `/download` now restrict `path` to `DEFAULT_DOWNLOAD_DIR` via `resolvePathWithinRoot`.
### Fix Commit(s)
- 7f0489e4731c8d965d78d6eac4a60312e46a9426
### Mitigation
Upgrade to `openclaw` >=2026.2.13.
Thanks @locus-x64 for reporting.
nvd CVSS3.1
6.7
Vulnerability type
CWE-22
Path Traversal
- https://nvd.nist.gov/vuln/detail/CVE-2026-26972
- https://github.com/advisories/GHSA-xwjm-j929-xq7c
- https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.13 Product Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-xwjm-j929-xq7c Patch Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026