Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
OpenClaw Gateway Allows Unintended Code Execution via Configured Hook Module Paths
CVE-2026-28456
GHSA-v6c6-vqqg-w888
Summary
OpenClaw Gateway versions before 2026.2.14 are vulnerable to code execution if an attacker with configuration access loads and executes local modules. This could allow unauthorized actions or data access. Update to version 2026.2.14 or later to fix the issue.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | > 2026.1.5 , <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | > 2026.1.5 , <= 2026.2.14 | – |
Original title
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import()...
Original description
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.
nvd CVSS3.1
7.2
nvd CVSS4.0
8.6
Vulnerability type
CWE-427
Uncontrolled Search Path Element
CWE-22
Path Traversal
- https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd65...
- https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d128...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888
- https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unsaf...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- https://nvd.nist.gov/vuln/detail/CVE-2026-28456
- https://github.com/advisories/GHSA-v6c6-vqqg-w888
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026