← Retour aux CVEs

CVE-2026-28456

HIGH

7.2

Description

OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.

Details CVE

Score CVSS v3.17.2

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisHIGH

Interaction utilisateurNONE

Publie3/5/2026

Derniere modification3/9/2026

Sourcenvd

Observations honeypot0

Produits affectes

openclaw:openclaw

Faiblesses (CWE)

CWE-427

References

https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unsafe-hook-module-path-handling(disclosure@vulncheck.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.