CVE-2026-28466
published 2026-03-05CVE-2026-28466: OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters…
PriorityP267critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.42%
33.7th percentile
OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject approval control fields to execute arbitrary commands on connected node hosts, potentially compromising developer workstations and CI runners.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | >= 0 < 2026.2.14 | 2026.2.14 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for authenticated gateway requests to node.invoke that contain internal approval control fields (e.g., fields that would normally only be set server-side for exec approval gating) — their presence in client-supplied parameters indicates exploitation of CVE-2026-28466. ↗
- →Monitor for system.run command execution originating from the OpenClaw gateway on connected node hosts (developer workstations, CI runners), especially where the invoking session is a gateway-authenticated client rather than a direct local process. ↗
- ·The vulnerability affects OpenClaw versions prior to 2026.2.14 (also known as Moltbot or Clawdbot); only authenticated clients with valid gateway credentials can exploit it — unauthenticated access is not sufficient. ↗
- ·The npm fix was added 2026-03-08 and the Homebrew fix was added 2026-03-10; environments using the openclaw package from either ecosystem should verify they are on 2026.2.14 or later. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
ghsa·2026-03-02
CVE-2026-28466 [CRITICAL] CWE-20 OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
### Summary
A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into `node.invoke` parameters.
### Affected Component
- Gateway method: `node.invoke` for node command `system.run`
- Node host runner: exec approval gating for `system.run`
### Impact
If an attacker can authenticate to a gateway (for example via a leaked/shared gateway token or a paired device token with `operator.write`), they could execute arbitrary commands on connected node hosts that support `system.run`. This can lead to full compromise of developer workstations, CI runners, and servers
OSV
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
osv·2026-03-02
CVE-2026-28466 [CRITICAL] OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
### Summary
A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into `node.invoke` parameters.
### Affected Component
- Gateway method: `node.invoke` for node command `system.run`
- Node host runner: exec approval gating for `system.run`
### Impact
If an attacker can authenticate to a gateway (for example via a leaked/shared gateway token or a paired device token with `operator.write`), they could execute arbitrary commands on connected node hosts that support `system.run`. This can lead to full compromise of developer workstations, CI runners, and servers
No detection rules found.
No public exploits indexed.
https://github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c398692afcdhttps://github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c65e2dhttps://github.com/openclaw/openclaw/commit/a7af646fdab124a7536998db6bd6ad567d2b06b0https://github.com/openclaw/openclaw/commit/c1594627421f95b6bc4ad7c606657dc75b5ad0cehttps://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-invoke-approval-bypass
2026-03-05
Published