CVE-2026-28463 - Vulnerability Analysis

Overview

OpenClaw exec-approvals allowlist mode contains an information disclosure vulnerability caused by pre-expansion validation of argv tokens but real shell expansion during execution, letting authorized callers or attackers with prompt-injection read arbitrary local files, exploit requires host execution enabled in allowlist mode.

Severity & Score

Impact

Attackers can read arbitrary local files accessible to the gateway or node process, leading to sensitive information disclosure.

Mitigation

Disable host execution in allowlist mode or apply patches that correctly validate shell expansions; otherwise, update to the latest version.

References

• https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-shell-expansion-in-safe-bins-allowlist
• https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b
• https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🟠 CVE-2026-28463 - High (8.4) OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via glob patterns or environment variables. Authorized... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28463/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner