CVE-2026-28393
Published: 05 March 2026
Summary
CVE-2026-28393 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by enforcing validation of the hooks.mappings[].transform.module parameter to reject absolute paths and traversal sequences.
Ensures timely flaw remediation through patching to OpenClaw 2026.2.14 or later, which fixes the improper module path handling.
Restricts logical access to configuration changes, limiting the ability of attackers to write malicious hooks.mappings[].transform.module values.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables loading and execution of arbitrary JavaScript modules with gateway process privileges, directly facilitating exploitation for privilege escalation (T1068) and JavaScript interpreter abuse (T1059.007).
NVD Description
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute…
more
malicious modules with gateway process privileges.
Deeper analysisAI
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 are affected by CVE-2026-28393, a path traversal vulnerability (CWE-22) in the hook transform module loading functionality. The vulnerability arises because the hooks.mappings[].transform.module parameter improperly accepts absolute paths and traversal sequences, enabling the loading and execution of arbitrary JavaScript modules. Published on 2026-03-05, it carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with no availability disruption.
Attackers with configuration write access can exploit this issue locally with low complexity and no user interaction. By supplying malicious paths in the transform.module parameter, they can load arbitrary JavaScript modules that execute with the privileges of the gateway process, potentially leading to unauthorized access, data manipulation, or further compromise within the OpenClaw environment.
Mitigation involves upgrading to OpenClaw version 2026.2.14 or later, where the vulnerability is addressed. Relevant patches are detailed in GitHub commits 18e8bd68c5015a894f999c6d5e6e32468965bfb5 and a0361b8ba959e8506dc79d638b6e6a00d12887e4. Additional guidance appears in the OpenClaw security advisory GHSA-7xhj-55q9-pc3m and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-beta-arbitrary-javascript-module-loading-via-hook-transform-path-traversal.
Details
- CWE(s)