CVE-2026-28456
Received Received - Intake
Dynamic Import Code Execution in OpenClaw Gateway Module Paths

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: VulnCheck

Description
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28456
EUVD
EUVD-2026-9904
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.1.5 (inc) to 2026.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in OpenClaw versions 2026.1.5 prior to 2026.2.14 within the Gateway component. It occurs because the software does not properly restrict the paths of configured hook modules before passing them to the dynamic import() function. This flaw allows an attacker who has access to modify the gateway configuration to load and execute unintended local modules within the Node.js process.

Impact Analysis

This vulnerability can lead to unauthorized code execution within the Node.js process running the OpenClaw Gateway. An attacker with configuration modification access could exploit this to run malicious code, potentially leading to full compromise of the affected system, including confidentiality, integrity, and availability impacts.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart