top of page
perceptive_background_267k.jpg

OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths be…

Published:

4 maart 2026 om 23:00:00

Alert date:

5 maart 2026 om 23:13:13

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a critical vulnerability in the Gateway component that allows arbitrary code execution. The vulnerability stems from insufficient validation of hook module paths before passing them to dynamic import() function. Attackers with gateway configuration modification access can exploit this to load and execute unintended local modules within the Node.js process. This represents a significant security risk for applications using affected OpenClaw versions. Multiple patches and security advisories have been released to address this issue.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-28456
https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce
https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4
https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888
https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unsafe-hook-module-path-handling

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page