PT-2026-23558 · Openclaw · Openclaw
Mrthankyou
·
Published
2026-03-05
·
Updated
2026-03-06
·
CVE-2026-28484
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.15
Description
The software contains an option injection flaw in the git-hooks/pre-commit hook. This allows attackers to stage files that are normally ignored by creating files that begin with dashes. The hook does not properly separate filenames when using
xargs with git add, which enables attackers to inject git flags and add sensitive ignored files, such as .env files, to the git history.Recommendations
Update to version 2026.2.15 or later.
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw