OS Command Injection in OpenClaw - CVE-2026-28470
Published: May 4, 2026
Vulnerability identifier: #VU129484
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28470
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to improper neutralization of special elements used in an os command in the exec approvals allowlist analysis when processing command substitution or backticks inside double-quoted input. A remote attacker can supply specially crafted input to execute arbitrary commands.
Only installations with the optional exec approvals allowlist feature explicitly enabled are vulnerable.
How to mitigate CVE-2026-28470
Install security update from vendor's website.