OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route…
VulnCheck·CWE-289·Published 2026-03-03
OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls.
OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls.
### Summary Gateway plugin route auth protection for `/api/channels` could be bypassed using encoded dot-segment traversal (for example `..%2f`) in path variants that plugin handlers normalize. ### Affected Packages / Versions - Package: npm `openclaw` - Latest published vulnerable version: `2026.2.25` - Vulnerable version range: `<= 2026.2.25` - Patched version: `2026.2.26` (planned next release) ### Impact Under affected versions, crafted alternate paths could bypass gateway auth checks for protected plugin channel routes when plugin handlers decode/canonicalize the incoming path and then route to `/api/channels/...` handlers. ### Fix Commit(s) - `258d615c45527ffda37cecd08cd268f97461bde0` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.26`). After npm publish, maintainers only need to publish the advisory. OpenClaw thanks @zpbrent for reporting.
### Summary Gateway plugin route auth protection for `/api/channels` could be bypassed using encoded dot-segment traversal (for example `..%2f`) in path variants that plugin handlers normalize. ### Affected Packages / Versions - Package: npm `openclaw` - Latest published vulnerable version: `2026.2.25` - Vulnerable version range: `<= 2026.2.25` - Patched version: `2026.2.26` (planned next release) ### Impact Under affected versions, crafted alternate paths could bypass gateway auth checks for protected plugin channel routes when plugin handlers decode/canonicalize the incoming path and then route to `/api/channels/...` handlers. ### Fix Commit(s) - `258d615c45527ffda37cecd08cd268f97461bde0` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.26`). After npm publish, maintainers only need to publish the advisory. OpenClaw thanks @zpbrent for reporting.
Las versiones del plugin de pasarela OpenClaw anteriores a la 2026.2.26 contienen una vulnerabilidad de salto de ruta que permite a atacantes remotos eludir las comprobaciones de autenticación de ruta manipulando las rutas /api/channels con secuencias de salto de segmento de punto codificadas. Los atacantes pueden elaborar rutas alternativas utilizando patrones de salto codificados para acceder a rutas de canales de plugin protegidas cuando los manejadores normalizan la ruta entrante, eludiendo los controles de seguridad.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 8.2 | 3.9 | 4.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
| 3.1 | Primary | cve.org | 6.5 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N |
| 3.1 | Secondary | GHSA | 6.5 | — | — | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N |
| 3.1 | Secondary | NVD | 6.5 | 2.2 | 4.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N |
| 4.0 | Primary | cve.org | 8.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
| 4.0 | Secondary | GHSA | 8.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| 4.0 | Secondary | NVD | 8.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |