CVE-2026-28456

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.5 through 2026.2.13

Description The OpenClaw Gateway does not adequately limit configured hook module paths before passing them to the import() function, potentially allowing for code execution. An attacker with the ability to modify gateway configuration can load and execute unintended local modules within the Node.js process. This requires access to modify gateway configuration, which is considered a high privilege. The vulnerable component involves the import() function and the configuration parameters hooks.mappings[].transform.module and hooks.internal.handlers[].module.

Recommendations Upgrade to version 2026.2.14 or newer. Avoid exposing gateway configuration endpoints to untrusted networks. Review configuration for unsafe values in hooks.mappings[].transform.module and hooks.internal.handlers[].module.