Platform
nodejs
Component
openclaw
Fixed in
2026.2.23
2026.2.23
CVE-2026-28363 describes a critical remote code execution (RCE) vulnerability discovered in OpenClaw, a Node.js tooling library. This flaw allows attackers to bypass validation mechanisms within the tools.exec.safeBins module, potentially leading to arbitrary code execution on affected systems. The vulnerability affects versions prior to 2026.2.23 and has been addressed in the updated release. Prompt patching is strongly recommended.
The core of the vulnerability lies in the insufficient validation of command-line arguments within the tools.exec.safeBins module when operating in allowlist mode. OpenClaw intended to restrict execution to explicitly approved commands, but a flaw in how GNU long-option abbreviations (e.g., --compress-prog instead of --compress-program) were handled allowed attackers to bypass this restriction. By crafting malicious command-line arguments using these abbreviations, an attacker can execute arbitrary commands without triggering the intended approval process. This effectively grants them complete control over the affected system, enabling actions such as data theft, malware installation, and system compromise. The potential blast radius is significant, particularly in environments where OpenClaw is integrated into automated build or deployment pipelines.
CVE-2026-28363 was publicly disclosed on 2026-02-27. There is currently no indication that this vulnerability is being actively exploited in the wild, but its CRITICAL severity and ease of exploitation warrant immediate attention. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that a POC is likely to emerge soon. Security researchers should prioritize developing and sharing detection signatures.
Exploit Status
EPSS
0.04% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28363 is to immediately upgrade OpenClaw to version 2026.2.23 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter input validation on command-line arguments passed to the tools.exec.safeBins module. Specifically, ensure that the full, unabbreviated command-line options are used and validated against the allowlist. As a temporary workaround, disabling the allowlist mode entirely might reduce the attack surface, but this is not a recommended long-term solution. Monitor system logs for unusual process executions or command-line patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to execute a command using a GNU long-option abbreviation and verifying that it is properly rejected.
Update OpenClaw to version 2026.2.23 or later. This version fixes the vulnerability that allows unauthorized command execution through manipulation of GNU option abbreviations in allowlist mode.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28363 is a critical remote code execution vulnerability in OpenClaw versions before 2026.2.23, allowing attackers to bypass validation and execute arbitrary code.
If you are using OpenClaw versions prior to 2026.2.23, you are vulnerable to this RCE vulnerability.
Upgrade OpenClaw to version 2026.2.23 or later to mitigate the vulnerability. Consider stricter input validation as a temporary workaround.
There is currently no confirmed active exploitation, but the vulnerability's severity and ease of exploitation warrant immediate attention.
Refer to the OpenClaw project's official release notes and security advisories for details on this vulnerability and the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.