Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.3

OpenClaw 2.0.0-beta3 allows attackers to run malicious code

CVE-2026-28393 GHSA-7xhj-55q9-pc3m
Summary

A security issue in OpenClaw versions 2.0.0-beta3 allows attackers with access to the configuration to run unauthorized code. This could lead to unauthorized actions or data theft. Update to OpenClaw version 2026.2.14 or later to fix the issue.

What to do
  • Update steipete openclaw to version 2026.2.14.
Affected software
VendorProductAffected versionsFix available
steipete openclaw > 2.0.0-beta3 , <= 2026.2.13 2026.2.14
openclaw openclaw > 2026.1.4 , <= 2026.2.14
openclaw openclaw 2.0.0
openclaw openclaw 2.0.0
openclaw openclaw 2.0.0
Original title
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.m...
Original description
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.
nvd CVSS3.1 7.7
nvd CVSS4.0 8.3
Vulnerability type
CWE-427 Uncontrolled Search Path Element
CWE-22 Path Traversal
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026