CVE-2026-28393

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2.0.0-beta3 through 2026.2.13

Description The OpenClaw software contains a path traversal issue within the hook transform module loading process that could lead to arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter is susceptible to accepting absolute paths and traversal sequences. An attacker with configuration write access can leverage this to load and execute malicious modules with gateway process privileges. The issue arises because path resolution previously accepted absolute paths and did not enforce containment for relative paths, allowing a config-controlled transform to resolve outside the intended transforms directory.

Recommendations Update OpenClaw to version 2026.2.14 or later.