CVE-2026-28456 in OpenClaw
Summary
by MITRE • 03/06/2026
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/10/2026
The vulnerability identified as CVE-2026-28456 affects OpenClaw versions prior to 2026.2.14 and represents a critical security flaw in the system's Gateway component. This issue stems from insufficient validation of hook module paths during the dynamic import process, creating a path traversal and code execution vector that can be exploited by attackers with gateway configuration modification privileges. The vulnerability specifically targets the Gateway's handling of configured hook modules, where the system fails to properly sanitize or validate the paths provided by configuration before invoking dynamic import functions. This flaw directly enables attackers to manipulate the module loading process and execute arbitrary code within the Node.js runtime environment.
The technical implementation of this vulnerability resides in the Gateway's module resolution mechanism, which operates under the assumption that configuration inputs are trustworthy and properly formatted. When an attacker modifies gateway configuration parameters to specify hook module paths, the system passes these unvalidated paths directly to Node.js dynamic import functions without proper sanitization or path validation. This design flaw aligns with CWE-74 and CWE-94, representing code injection vulnerabilities that occur through improper input validation and insecure dynamic code execution practices. The attack vector requires an attacker to already possess access to modify gateway configurations, but once achieved, the impact is severe as it allows for arbitrary code execution within the Node.js process context, potentially leading to complete system compromise.
The operational impact of this vulnerability extends beyond simple code execution, as it enables attackers to escalate privileges and potentially gain access to sensitive system resources. Since the malicious modules execute within the Node.js process, attackers can leverage the existing permissions and capabilities of that process, including access to system files, network connections, and potentially other running services. This vulnerability particularly affects environments where configuration modification access is granted to multiple parties or where administrative privileges are not properly enforced. The risk is amplified in containerized environments or microservices architectures where the Node.js process may have broader system access than intended. The vulnerability can be exploited to establish persistent backdoors, exfiltrate data, or perform lateral movement within the network infrastructure.
Mitigation strategies for CVE-2026-28456 should prioritize immediate patching of affected OpenClaw versions to 2026.2.14 or later, which contain the necessary security fixes. Organizations should implement strict access controls for gateway configuration modification, ensuring that only authorized administrators can make changes to system parameters. Input validation and sanitization mechanisms should be strengthened to prevent path traversal attacks, including implementing whitelist-based validation for module paths and using absolute path resolution techniques. The ATT&CK framework categorizes this vulnerability under T1059.006 for execution through Node.js and T1566.002 for social engineering through configuration modification. Additional protective measures include implementing runtime monitoring for unusual import activities, conducting regular security audits of configuration files, and establishing network segmentation to limit the potential impact of successful exploitation. Organizations should also consider implementing principle of least privilege for Node.js processes and regularly review and update access control policies to minimize the attack surface.