Plattform
javascript
Komponente
openclaw
Behoben in
2026.2.14
CVE-2026-28393 describes a path traversal vulnerability discovered in OpenClaw, a game engine. This flaw allows attackers with write access to configuration files to execute arbitrary JavaScript code, escalating privileges within the gateway process. The vulnerability affects versions 2.0.0-beta3 through 2026.2.14, and a patch is available in version 2026.2.14.
The path traversal vulnerability in OpenClaw's hook transform module loading process is particularly concerning due to its potential for remote code execution. An attacker who can modify the hooks.mappings[].transform.module parameter can supply absolute paths or traversal sequences to load and execute malicious JavaScript modules. Given that the gateway process typically runs with elevated privileges, successful exploitation could grant the attacker significant control over the system. This could involve data theft, system disruption, or even complete takeover of the OpenClaw instance. The ability to execute arbitrary JavaScript within the context of the gateway process significantly expands the attack surface.
CVE-2026-28393 was publicly disclosed on March 5, 2026. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its inclusion in the NVD is pending. The EPSS score is likely to be assessed as medium, given the potential for RCE and the relative complexity of exploitation, requiring configuration write access.
Organizations and individuals using OpenClaw, particularly those with publicly accessible instances or those who allow external users to modify configuration files, are at risk. Environments where OpenClaw is integrated with other systems or services are also at increased risk due to the potential for lateral movement.
• javascript: Examine OpenClaw configuration files for suspicious entries in the hooks.mappings[].transform.module parameter, particularly those containing absolute paths or traversal sequences (e.g., ../).
• javascript: Monitor OpenClaw logs for errors or warnings related to module loading failures, which could indicate an attempted exploitation.
• javascript: Use a debugger to step through the hook transform module loading process and identify any unexpected file access patterns.
disclosure
Exploit-Status
EPSS
0.10% (27% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28393 is to immediately upgrade OpenClaw to version 2026.2.14 or later. Prior to upgrading, it's crucial to back up your OpenClaw configuration files to facilitate a rollback if the upgrade introduces unforeseen compatibility issues. If upgrading is not immediately feasible, restrict write access to the configuration files to only authorized personnel. Implement strict input validation on any user-supplied data used to configure the hook transform module. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block suspicious requests attempting to exploit it by monitoring for unusual file paths or JavaScript execution patterns. After upgrading, confirm the fix by attempting to load a malicious module via the hooks.mappings[].transform.module parameter and verifying that the attempt is denied.
Actualice OpenClaw a la versión 2026.2.14 o posterior. Esta versión corrige la vulnerabilidad de path traversal en la carga de módulos JavaScript. La actualización evitará la ejecución de código JavaScript arbitrario.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28393 is a Path Traversal vulnerability in OpenClaw versions 2.0.0-beta3–2026.2.14, allowing attackers to execute arbitrary JavaScript code with gateway process privileges.
You are affected if you are using OpenClaw versions 2.0.0-beta3 through 2026.2.14 and have not yet upgraded to version 2026.2.14 or later.
Upgrade OpenClaw to version 2026.2.14 or later. Back up your configuration files before upgrading and restrict write access to configuration files as a temporary workaround.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the OpenClaw project's official website and security advisories for the latest information and updates regarding CVE-2026-28393.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.