HIGHCVE-2026-28463Published 2026-03-05Modified 2026-04-21CNA VulnCheck

CVE-2026-28463: OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist

OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 2026.2.14
Affected Products: 1

Fix available

2026.2.14

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.2.14 (from 0)

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-xvhf-x56f-2hpp)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist

Metrics

Fix available