New OpenClaw CVEs Disclosed: Path Traversal and DoS Vulnerabilities
What Happened
Two new CVEs were disclosed for OpenClaw in early March, adding to the growing list of security vulnerabilities in the platform. CVE-2026-28462 is a path traversal vulnerability in OpenClaw's browser control API affecting versions prior to 2026.2.13 — the API accepts user-supplied output paths for trace and download files without properly constraining writes to temporary directories. Attackers with API access can exploit the POST /trace/stop, /wait/download, and /download endpoints to write files outside intended temp roots. Separately, CVE-2026-28394 is a denial-of-service vulnerability in OpenClaw's web_fetch tool that enables attackers to crash the Gateway process through memory exhaustion.
These vulnerabilities join the existing batch of seven CVEs (CVE-2026-25593 through CVE-2026-26329) disclosed in February, bringing the total number of disclosed OpenClaw vulnerabilities to at least nine since the platform went viral.
Why It Matters
The path traversal vulnerability is particularly concerning for multi-tenant and cloud deployments, where arbitrary file writes could enable cross-tenant attacks and broader system compromise. The DoS vulnerability in web_fetch — a tool that agents routinely use for web browsing — means that a malicious website could crash an OpenClaw instance simply by being visited. Together, these CVEs reinforce the pattern that OpenClaw's rapid growth has outpaced its security hardening, and that each new feature (browser control, web fetching) introduces attack surface that traditional software doesn't face.
What's Next
Users running OpenClaw versions before 2026.2.13 should upgrade immediately and rotate any credentials that may have been exposed. The OpenClaw team has committed to publishing a comprehensive threat model and security roadmap. Expect third-party security tools like SecureClaw to add detection for these specific attack patterns.