CVE-2026-28456 - Vulnerability Analysis
HighCVSS: 8.4Last Updated: March 5, 2026
OpenClaw - Command Injection
Published: March 5, 2026Updated: March 5, 2026
Overview
OpenClaw < 2026.2.14 contains a command injection caused by insufficient constraint of configured hook module paths in the Gateway, letting attackers with gateway configuration modification access execute arbitrary code via dynamic import().
Severity & Score
Severity: High
CVSS Score: 8.4
Impact
Attackers with gateway configuration access can execute arbitrary code in the Node.js process, potentially leading to full system compromise.
Mitigation
Upgrade to version 2026.2.14 or later.
References
- https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce
- https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888
- https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unsafe-hook-module-path-handling
Related Resources
Details
- CVE ID
- CVE-2026-28456
- Severity
- High
- CVSS Score
- 8.4
- Type
- command_injection
- Status
- new
CWE
- CWE-427
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H