Vulnerability Report

CVE-2026-28456

Title: Gateway remote code execution via hook module paths

Other

Proof Of Concept

No public PoC currently indexed for CVE-2026-28456.

CWE Category CWE-427

Published Date Mar 05, 2026

Modified Date Mar 09, 2026

Exploit Status Not Found

Score 8.6 CVSS v4.0

Exploit Probability (EPSS)

0.41%

Vulnerability Summary

CVE-2026-28456: OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.

Impacted Vendors

openclaw 1

Reference Links

https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4 https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888 https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unsafe-hook-module-path-handling

CVSS v4.0

Source Entity [email protected]

Severity HIGH

8.6

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1