CVE-2026-28470
published 2026-03-05CVE-2026-28470: OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.48%
37.6th percentile
OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.2.2 | 2026.2.2 |
| openclaw | openclaw | >= 0 < 2026.2.2 | 2026.2.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect command substitution injection via unescaped $() syntax embedded inside double-quoted strings passed to exec approval allowlist ↗
- →Detect command substitution injection via backtick syntax embedded inside double-quoted strings passed to exec approval allowlist ↗
- ·The exec approvals allowlist feature must be explicitly enabled for this vulnerability to be exploitable; installations with exec approvals disabled are not affected. ↗
- ·Affected versions are OpenClaw prior to 2026.2.2 (also known as Moltbot or Clawdbot); upgrade to 2026.2.2 or later to remediate. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
osv·2026-02-17
CVE-2026-28470 [HIGH] OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
### Summary
Exec approvals allowlist bypass via command substitution/backticks inside double quotes.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `= 2026.2.2`
### Impact
Only affects setups that explicitly enable the optional exec approvals allowlist feature. Default installs are unaffected.
### Fix
Reject unescaped `$()` and backticks inside double quotes during allowlist analysis.
### Fix Commit(s)
- d1ecb46076145deb188abcba8f0699709ea17198
Thanks @simecek for reporting.
GHSA
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
ghsa·2026-02-17
CVE-2026-28470 [HIGH] CWE-78 OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
### Summary
Exec approvals allowlist bypass via command substitution/backticks inside double quotes.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `= 2026.2.2`
### Impact
Only affects setups that explicitly enable the optional exec approvals allowlist feature. Default installs are unaffected.
### Fix
Reject unescaped `$()` and backticks inside double quotes during allowlist analysis.
### Fix Commit(s)
- d1ecb46076145deb188abcba8f0699709ea17198
Thanks @simecek for reporting.
No detection rules found.
No public exploits indexed.
2026-03-05
Published