Incomplete List of Disallowed Inputs in OpenClaw - CVE-2026-28363
Published: May 1, 2026
Vulnerability identifier: #VU128795
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-28363
CWE-ID: CWE-184
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to bypass execution approval checks.
The vulnerability exists due to incomplete list of disallowed inputs in tools.exec.safeBins validation for sort when processing abbreviated GNU long options in allowlist mode. A remote user can supply a specially crafted sort command with abbreviated long options to bypass execution approval checks.
Exploitation requires tools.exec.security=allowlist, tools.exec.ask=on-miss, and tools.exec.safeBins to include sort.
How to mitigate CVE-2026-28363
Install security update from vendor's website.