Path traversal in OpenClaw - CVE-2026-28393
Published: May 4, 2026
Vulnerability identifier: #VU129443
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-28393
CWE-ID: CWE-22
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to path traversal in hooks.mappings[].transform.module when processing webhook mappings. A local privileged user can configure a transform path that escapes the intended transforms directory and trigger webhook processing to execute arbitrary code.
Exploitation requires the ability to modify hooks configuration through configuration access or authenticated configuration mechanisms.
How to mitigate CVE-2026-28393
Install security update from vendor's website.