CVE-2026-28470

CriticalPublic PoC

Published: 05 March 2026

Published

05 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside…

double-quoted strings to execute unauthorized commands.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrading to OpenClaw 2026.2.2, which fixes the exec approvals allowlist bypass.

SI-10 Information Input Validation good match

prevent

Requires validation of inputs to the exec function to reject command substitution syntax like unescaped $() or backticks in double-quoted strings.

AC-6 Least Privilege partial match

prevent

Limits the impact of arbitrary command execution by enforcing least privilege on the vulnerable OpenClaw process.

Security SummaryAI

CVE-2026-28470, published on 2026-03-05, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in OpenClaw versions prior to 2026.2.2. It manifests as an exec approvals allowlist bypass, which requires the feature to be enabled, enabling attackers to execute arbitrary commands through command substitution syntax. Specifically, attackers can embed unescaped $() constructs or backticks inside double-quoted strings to circumvent the allowlist protections. The issue is categorized under CWE-78 (OS Command Injection).

The vulnerability is exploitable by unauthenticated remote attackers requiring no user interaction and low attack complexity. Exploitation allows bypassing the exec approvals mechanism to run unauthorized commands on the affected system, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation guidance from advisories, including the GitHub security advisory (GHSA-3hcm-ggvf-rch5) and Vulncheck, points to upgrading to OpenClaw 2026.2.2. The fixing commit (d1ecb46076145deb188abcba8f0699709ea17198) on the OpenClaw GitHub repository addresses the bypass by properly handling command substitution in double-quoted strings.

Details

CWE(s): CWE-78

Affected Products

openclaw

≤ 2026.2.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection (CWE-78) in a public-facing application enables exploitation of public-facing apps (T1190) to achieve arbitrary remote command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/openclaw/openclaw/commit/d1ecb46076145deb188abcba8f0699709ea17198
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-3hcm-ggvf-rch5
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-command-substitution-in-double-quotes
Third Party Advisory · disclosure@vulncheck.com