Home / Vulnerability Intelligence / CVE-2026-28470

CVE-2026-28470 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

OpenClaw - Command Injection

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.2 contains a command injection caused by unescaped command substitution syntax in exec approvals allowlist, letting attackers execute arbitrary commands by bypassing allowlist protection, exploit requires exec approvals enabled.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 6.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary commands, potentially leading to full system compromise.

Mitigation

Update to version 2026.2.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🔴 CVE-2026-28470 - Critical (9.8) OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protect... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28470/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28470
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: new
EPSS: 6.7%
Social Posts: 1

CWE

CWE-88

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

6.7%Probability of exploitation in the next 30 days