CVE-2026-28466

CRITICAL

OpenClaw <2026.2.14 - Command Injection

Title source: llm

Description

OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject approval control fields to execute arbitrary commands on connected node hosts, potentially compromising developer workstations and CI runners.

Exploits (1)

nomisec WORKING POC

by Orioning · poc

https://github.com/Orioning/CVE-2026-28466

View Code ZIP pw:eip

References (6)

[Patch] https://github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c398692afcd

View Patch ZIP pw:eip

[Patch] https://github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c65e2d

[Patch] https://github.com/openclaw/openclaw/commit/a7af646fdab124a7536998db6bd6ad567d2b06b0

[Patch] https://github.com/openclaw/openclaw/commit/c1594627421f95b6bc4ad7c606657dc75b5ad0ce

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-invoke-approval-bypass

Scores

CVSS v3 9.9

EPSS 0.0004

EPSS Percentile 13.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-863

Status published

Products (2)

npm/openclaw 0 - 2026.2.14npm

openclaw/openclaw < 2026.2.14

Published Mar 05, 2026

Tracked Since Mar 06, 2026