Improper access control in OpenClaw - CVE-2026-28456
Published: May 4, 2026
Vulnerability identifier: #VU129441
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-28456
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in hook module path handling when loading configured JavaScript or TypeScript transform modules through dynamic import(). A remote privileged user can modify gateway configuration to cause the process to load an unintended local module and execute arbitrary code.
This issue applies when the attacker can modify gateway configuration, such as through gateway configuration endpoints.
How to mitigate CVE-2026-28456
Install security update from vendor's website.