Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-28482
updated 6 days, 11 hours ago by @mweinelt Activity log
  • Created automatic suggestion 1 week, 1 day ago
  • @mweinelt dismissed 6 days, 11 hours ago
OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters

OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.

References

Affected products

OpenClaw
  • <2026.2.12

Matching in nixpkgs

Package maintainers

Unaffected, never had 2026.2.12 or older.