CVE-2026-28393
📋 TL;DR
OpenClaw versions 2.0.0-beta3 through 2026.2.13 contain a path traversal vulnerability in the hook transform module loading mechanism. Attackers with configuration write access can exploit this to load and execute arbitrary JavaScript modules with gateway process privileges. This affects systems running vulnerable OpenClaw versions where attackers can modify configuration files.
💻 Affected Systems
- OpenClaw
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary code execution with gateway process privileges, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Privilege escalation leading to unauthorized access to sensitive data and system resources controlled by the gateway process.
If Mitigated
Limited impact if proper access controls prevent unauthorized configuration modifications and network segmentation isolates vulnerable systems.
🎯 Exploit Status
Exploitation requires write access to configuration files. The vulnerability is straightforward to exploit once configuration access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.2.14
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m
Restart Required: Yes
Instructions:
1. Update OpenClaw to version 2026.2.14 or later. 2. Apply the patches from GitHub commits 18e8bd68c5015a894f999c6d5e6e32468965bfb5 and a0361b8ba959e8506dc79d638b6e6a00d12887e4. 3. Restart the OpenClaw service.
🔧 Temporary Workarounds
Restrict Configuration File Permissions
linuxLimit write access to OpenClaw configuration files to only trusted administrators.
chmod 640 /path/to/openclaw/config/*
chown root:openclaw /path/to/openclaw/config/*
Disable Hook Transform Module Loading
allRemove or disable hook transform functionality if not required.
# Edit config to remove hooks.mappings[].transform.module entries
🧯 If You Can't Patch
- Implement strict access controls on OpenClaw configuration files to prevent unauthorized modifications.
- Network segment OpenClaw instances and monitor for suspicious configuration changes.
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version: if between 2.0.0-beta3 and 2026.2.13 inclusive, system is vulnerable.Check Version:
openclaw --versionVerify Fix Applied:
Verify OpenClaw version is 2026.2.14 or later and confirm patches from referenced commits are applied.📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to OpenClaw configuration files
- Suspicious module loading attempts in OpenClaw logs
- Errors related to hook transform module paths
Network Indicators:
- Unusual outbound connections from OpenClaw gateway process
- Suspicious file transfers from OpenClaw host
SIEM Query:
source="openclaw.log" AND ("transform.module" OR "hooks.mappings") AND (".." OR "/" OR absolute path patterns)🔗 References
- https://github.com/openclaw/openclaw/commit/18e8bd68c5015a894f999c6d5e6e32468965bfb5
- https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4
- https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m
- https://www.vulncheck.com/advisories/openclaw-beta-arbitrary-javascript-module-loading-via-hook-transform-path-traversal
