Home / Vulnerability Intelligence / CVE-2026-28447

CVE-2026-28447 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 6, 2026

OpenClaw - Path Traversal

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.1 contains a path traversal vulnerability caused by insufficient validation of plugin package names during installation, letting attackers write files outside the intended directory, exploit requires victim to run plugin install command.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Attackers can write files outside the intended directory, potentially leading to arbitrary file modification or system compromise.

Mitigation

Update to version 2026.2.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🟠 CVE-2026-28447 - High (7.5) OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing p... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28447/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28447
Severity: High
CVSS Score: 8.1
Type: path_traversal
Status: new
EPSS: 3.0%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS Score

3.0%Probability of exploitation in the next 30 days