CRITICALCVE-2026-28363Published Modified CNA mitre
CVE-2026-28363: In OpenClaw before 2026
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- 2026.2.23
- Affected Products
- 1
Fix available
2026.2.23
Affected packages
- OpenClaw / OpenClaw< 2026.2.23 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HReferences