Vulnerability Description
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | >= 2026.1.5, < 2026.2.14 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd65Patch
- https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d128Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888Vendor AdvisoryMitigation
- https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unsafThird Party Advisory
FAQ
What is CVE-2026-28456?
CVE-2026-28456 is a vulnerability with a CVSS score of 7.2 (HIGH). OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), a...
How severe is CVE-2026-28456?
CVE-2026-28456 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28456?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.