Platform
nodejs
Component
openclaw
Fixed in
2026.2.14
CVE-2026-28466 is a critical Remote Code Execution (RCE) vulnerability affecting OpenClaw versions up to 2026.2.14. This flaw allows authenticated clients to bypass approval gating mechanisms, enabling the execution of arbitrary commands on connected node hosts. Successful exploitation could lead to significant compromise of developer workstations and CI runners. The vulnerability is fixed in version 2026.2.14.
The impact of CVE-2026-28466 is severe. An attacker with valid gateway credentials can inject approval control fields within node.invoke parameters, effectively bypassing the intended security controls for system.run commands. This allows them to execute arbitrary commands on the target node hosts. Given OpenClaw's use in developer environments and CI/CD pipelines, a successful attack could lead to the theft of sensitive source code, the deployment of malicious artifacts, and disruption of development workflows. The blast radius extends to any connected node host, potentially impacting multiple developers and systems.
CVE-2026-28466 was publicly disclosed on 2026-03-05. The vulnerability's impact and the potential for widespread exploitation in developer environments suggest a medium probability of exploitation. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation given valid credentials makes it a likely target. The vulnerability has not been added to the CISA KEV catalog as of this date.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28466 is to immediately upgrade OpenClaw to version 2026.2.14 or later. If upgrading is not immediately feasible, consider restricting access to the gateway and carefully auditing all node.invoke calls for suspicious approval control fields. Implement strict input validation on all parameters passed to system.run commands. While a WAF or proxy cannot directly address this vulnerability, they can be configured to monitor for unusual command execution patterns and potentially block suspicious requests. After upgrading, confirm the fix by attempting to execute a system.run command with a crafted approval control field and verifying that the command is rejected.
Update OpenClaw to version 2026.2.14 or later. This version fixes the remote code execution approval bypass vulnerability. The update will prevent attackers with valid credentials from executing arbitrary commands on connected nodes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28466 is a critical Remote Code Execution vulnerability in OpenClaw versions up to 2026.2.14, allowing attackers to execute arbitrary commands on connected hosts with valid credentials.
You are affected if you are using OpenClaw versions prior to 2026.2.14 and have authenticated users with access to the gateway.
Upgrade OpenClaw to version 2026.2.14 or later. As a temporary workaround, restrict gateway access and carefully audit node.invoke calls.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the official OpenClaw security advisory for detailed information and updates: [https://github.com/open-claw/open-claw/security/advisories/CVE-2026-28466]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.