CVE-2026-28463 - Vulnerability Analysis

Overview

OpenClaw exec-approvals allowlist mode contains an information disclosure vulnerability caused by pre-expansion validation of argv tokens but real shell expansion during execution, letting authorized callers or attackers with prompt-injection read arbitrary local files, exploit requires host execution enabled in allowlist mode.

Severity & Score

Impact

Attackers can read arbitrary local files accessible to the gateway or node process, leading to sensitive information disclosure.

Mitigation

Disable host execution in allowlist mode or apply patches that correctly validate shell expansions; otherwise, update to the latest version.

References

• https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b
• https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp
• https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-shell-expansion-in-safe-bins-allowlist

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner