CVE-2026-28391 in OpenClaw
Summary
by MITRE • 03/06/2026
OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/10/2026
The vulnerability identified as CVE-2026-28391 affects OpenClaw versions prior to 2026.2.2 and represents a critical command injection flaw that undermines the security controls designed to restrict system execution. This issue manifests when the application employs allowlist-gated execution mechanisms with non-default configurations, creating a dangerous pathway for malicious actors to circumvent intended security boundaries. The vulnerability stems from inadequate validation of Windows cmd.exe metacharacters within command execution requests, fundamentally weakening the intended access controls that should prevent unauthorized operations.
The technical flaw resides in the insufficient sanitization of command strings that pass through the allowlist validation process. When attackers submit crafted command requests containing shell metacharacters such as ampersands & or environment variable placeholders like %variable%, the system fails to properly sanitize these inputs before executing operations. This validation bypass allows attackers to chain multiple commands or manipulate environment variables to execute arbitrary code beyond the explicitly permitted operations. The vulnerability specifically targets the Windows command shell environment where these metacharacters are interpreted as shell operators, enabling command concatenation, environment variable expansion, and other shell-specific functionalities that bypass the intended restriction mechanisms.
Operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise capabilities. Remote attackers can leverage this flaw to execute unauthorized commands with the privileges of the executing process, potentially leading to data exfiltration, system persistence, or lateral movement within network environments. The vulnerability's exploitation requires minimal sophistication since it relies on fundamental shell metacharacter interpretation rather than complex injection techniques. Organizations using OpenClaw with non-default configurations face immediate risk of unauthorized system access, particularly in environments where command execution is restricted for security reasons.
The vulnerability maps directly to CWE-78, which describes improper neutralization of special elements used in OS commands, and aligns with ATT&CK technique T1059.003 for command and scripting interpreter. This classification indicates that the flaw represents a classic command injection vulnerability that can be exploited through standard penetration testing methodologies. Mitigation strategies should focus on implementing robust input validation that properly sanitizes all command inputs regardless of their origin within the allowlist framework. Organizations should immediately upgrade to OpenClaw version 2026.2.2 or later, which contains the necessary patches to address this validation bypass. Additional protective measures include implementing stricter input filtering mechanisms, monitoring for unusual command execution patterns, and establishing comprehensive logging of all execution requests for audit purposes. The vulnerability underscores the importance of thorough input validation in security-critical applications and highlights the risks associated with incomplete sanitization of shell metacharacters in command execution environments.