Platform
javascript
Component
openclaw
Fixed in
2026.2.14
CVE-2026-28393 describes a path traversal vulnerability discovered in OpenClaw, a game engine. This flaw allows attackers with write access to configuration files to execute arbitrary JavaScript code, escalating privileges within the gateway process. The vulnerability affects versions 2.0.0-beta3 through 2026.2.14, and a patch is available in version 2026.2.14.
The path traversal vulnerability in OpenClaw's hook transform module loading allows for arbitrary JavaScript execution. An attacker who can modify the hooks.mappings[].transform.module parameter can specify absolute paths or traversal sequences to load and execute malicious modules. This effectively grants the attacker gateway process privileges, potentially enabling them to compromise the entire system. The impact is significant due to the potential for remote code execution and privilege escalation within the OpenClaw environment. Successful exploitation could lead to data theft, system disruption, or further malicious activity.
CVE-2026-28393 was publicly disclosed on March 5, 2026. Currently, there is no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.7 (High) indicates a significant potential for exploitation if the vulnerability is exposed and accessible.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28393 is to immediately upgrade OpenClaw to version 2026.2.14 or later. Prior to upgrading, it's crucial to back up your OpenClaw configuration files to facilitate a rollback if the upgrade introduces unforeseen issues. If upgrading is not immediately feasible, restrict write access to the hook configuration files to only authorized personnel. Implement input validation on the hooks.mappings[].transform.module parameter to prevent the inclusion of absolute paths or traversal sequences. Monitor system logs for suspicious activity related to module loading and JavaScript execution.
Update OpenClaw to version 2026.2.14 or later. This version fixes the path traversal vulnerability in JavaScript module loading. The update will prevent arbitrary JavaScript code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28393 is a Path Traversal vulnerability in OpenClaw versions 2.0.0-beta3–2026.2.14, allowing attackers to execute arbitrary JavaScript code with gateway process privileges.
You are affected if you are using OpenClaw versions 2.0.0-beta3 through 2026.2.14 and have not yet upgraded to version 2026.2.14 or later.
Upgrade OpenClaw to version 2026.2.14 or later. Back up your configuration files before upgrading and restrict write access to configuration files as a temporary workaround.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept code has been released.
Refer to the OpenClaw project's official website and security advisories for the latest information and updates regarding CVE-2026-28393.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.