anonhaven
Ad

CVE-2026-28466

CRITICAL CVSS 4.0: 9.4 EPSS 0.08%
Updated Mar 06, 2026
OpenClaw
Parameter Value
CVSS 9.4 (CRITICAL)
Affected Versions before 2026.2.14
Type CWE-863 (Incorrect Authorization (Неправильная авторизация))
Vendor OpenClaw
Public PoC No

OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject approval control fields to execute arbitrary commands on connected node hosts, potentially compromising developer workstations and CI runners.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
None
Нет дополнительных условий
Privileges Required
Low
Нужны базовые права
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
High
Полная утечка данных
Integrity
High
Полная модификация данных
Availability
High
Полный отказ в обслуживании

CVSS Vector v4.0

Weakness Type (CWE)

CWE-863 Incorrect Authorization (Неправильная авторизация)

References 6

https://github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c39869…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/a7af646fdab124a7536998db6bd6ad567d2…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/c1594627421f95b6bc4ad7c606657dc75b5…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-in…
disclosure@vulncheck.com
Share Post Share Share Share