CVE-2026-28456
Received Received - Intake

Dynamic Import Code Execution in OpenClaw Gateway Module Paths

Vulnerability report for CVE-2026-28456, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: VulnCheck

Description

OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-07-06
AI Q&A
2026-03-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.1.5 (inc) to 2026.2.14 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in OpenClaw versions 2026.1.5 prior to 2026.2.14 within the Gateway component. It occurs because the software does not properly restrict the paths of configured hook modules before passing them to the dynamic import() function. This flaw allows an attacker who has access to modify the gateway configuration to load and execute unintended local modules within the Node.js process.

Impact Analysis

This vulnerability can lead to unauthorized code execution within the Node.js process running the OpenClaw Gateway. An attacker with configuration modification access could exploit this to run malicious code, potentially leading to full compromise of the affected system, including confidentiality, integrity, and availability impacts.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart