CVE-2026-28484

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15

Description The software contains an option injection flaw in the git-hooks/pre-commit hook. This allows attackers to stage files that are normally ignored by creating files that begin with dashes. The hook does not properly separate filenames when using xargs with git add, which enables attackers to inject git flags and add sensitive ignored files, such as .env files, to the git history.

Recommendations Update to version 2026.2.15 or later.