CVE-2026-28456 - Vulnerability Analysis
HighCVSS: 8.4Last Updated: March 5, 2026
OpenClaw - Command Injection
Overview
OpenClaw < 2026.2.14 contains a command injection caused by insufficient constraint of configured hook module paths in the Gateway, letting attackers with gateway configuration modification access execute arbitrary code via dynamic import().
Severity & Score
Impact
Attackers with gateway configuration access can execute arbitrary code in the Node.js process, potentially leading to full system compromise.
Mitigation
Upgrade to version 2026.2.14 or later.
References
- https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unsafe-hook-module-path-handling
- https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce
- https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888
Social Media Activity(1 post)
š CVE-2026-28456 - High (8.4) OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gatewa... š https://www.thehackerwire.com/vulnerability/CVE-2026-28456/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-28456
- Severity
- High
- CVSS Score
- 8.4
- Type
- command_injection
- Status
- new
- EPSS
- 6.0%
- Social Posts
- 1
CWE
- CWE-427
CVSS Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H