Vibe Security Radar
Back to Vulnerabilities

CVE-2026-28482

Mar 5, 2026CWE-22
TypeScript
Verified by claude-opus-4-6, gemini-3.1-flash-lite-preview, gemini-3.1-pro-preview, gpt-5.4
Severity
MEDIUM8.4
Verdict
CONFIRMED
low confidence
AI Tool
Claude CodeClaude Code
Confidence
95%

OpenClaw's unsanitized session ID enables path traversal in transcript file operations

How AI Introduced This

path traversal

The blamed commit modified `resolveSessionTranscriptPath` to dynamically construct a filename using the `sessionId` parameter and then passed it directly to `path.join` without any validation or sanitization, allowing directory traversal sequences in the `sessionId` to escape the intended directory.

Root Cause

The application failed to sanitize user-provided session IDs before using them to construct file system paths, allowing attackers to escape the intended session directory via directory traversal sequences (e.g., ../).

Bug-Introducing Commits(1)
8da4f25AI

Implement Phase 2: Topic-level message history isolation for multi-topic Telegram support

hsrvcJan 7, 2026src/config/sessions/paths.tsBlame: 100%

Tribunal Analysis

3 agents
CONFIRMEDlow
CONFIRMEDGPT-5.4
98%

The vulnerability is caused by constructing transcript paths directly from unvalidated session IDs, allowing `../` path traversal outside the sessions directory. In commit 8da4f259ddcf4206b070ff0f4b7b344535fc7eb7, `resolveSessionTranscriptPath()` was modified to build filenames as `${sessionId}-topic-${topicId}.jsonl` or `${sessionId}.jsonl` and return `path.join(resolveAgentSessionsDir(agentId), fileName)` with no session ID sanitization or containment check. The later fix adds `validateSessionId()` and `resolvePathWithinSessionsDir()` specifically to stop this, so this commit introduced the vulnerable pattern into the transcript path logic.

  • At commit 8da4f259ddcf4206b070ff0f4b7b344535fc7eb7, `src/config/sessions.ts` contains: `const fileName = topicId !== undefined ? `${sessionId}-topic-${topicId}.jsonl` : `${sessionId}.jsonl`; return path.join(resolveAgentSessionsDir(agentId), fileName);`
  • This code uses attacker-controlled `sessionId` directly in a filesystem path and does not validate it or ensure the resolved path stays within the sessions directory.
  • The fix commit replaces this with `validateSessionId(sessionId)` and `resolvePathWithinSessionsDir(...)`, demonstrating those were the security-relevant changes.
  • Commit metadata shows 8da4f259 specifically changed `resolveSessionTranscriptPath()` to support topic-specific filenames, i.e. it is the commit that introduced the vulnerable version of this path-building logic in the blamed code path.
UNLIKELYClaude Opus 4.6
30%

Fallback verdict: Agent exhausted max turns without submitting a verdict.

UNLIKELYGemini 3.1 Pro
30%

Fallback verdict: Agent exhausted max turns without submitting a verdict.

Causality Analysisby Gemini 3.1 Flash Lite
Vulnerabilitypath traversal
Root CauseThe application failed to sanitize user-provided session IDs before using them to construct file system paths, allowing attackers to escape the intended session directory via directory traversal sequences (e.g., ../).
Pattern
path.join(baseDir, sessionId, filename)
Causal ChainThe blamed commit modified `resolveSessionTranscriptPath` to dynamically construct a filename using the `sessionId` parameter and then passed it directly to `path.join` without any validation or sanitization, allowing directory traversal sequences in the `sessionId` to escape the intended directory.
AI Signals(2)
Commit8da4f25
Claude CodeCo-author trailerCo-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>95%
Claude CodeCommit message keywordGenerated with Claude Code95%
Fix Commits(2)
4199f98openclaw/openclawgithub_advisory
cab0abfopenclaw/openclawgithub_advisory
References(6)