Cyber Resilience

CVE-2026-28460

MediumPublic PoCRCE

Published: 19 March 2026

Published
19 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-28460 is a medium-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28460 is an allowlist bypass vulnerability in the system.run component of OpenClaw versions prior to 2026.2.22. The issue enables attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Specifically, attackers can inject "$\" followed by a newline and an opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries. It is associated with CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

The vulnerability can be exploited remotely over the network by attackers with low privileges, requiring low complexity and no user interaction. Exploitation allows execution of arbitrary commands outside the intended allowlist, resulting in high integrity impact through unauthorized command execution or modification, alongside low availability impact, but no confidentiality loss.

Mitigation is addressed by updating to OpenClaw version 2026.2.22 or later, as detailed in the patching commit at https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9. Further guidance appears in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-9868-vxmx-w862 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-shell-line-continuation-command-substitution-in-system-run.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\ followed by a newline and…

more

opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection (CWE-78) via shell line-continuation bypass directly enables remote exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32003Same product: Openclaw Openclaw
CVE-2026-22179Same product: Openclaw Openclaw
CVE-2026-32917Same product: Openclaw Openclaw
CVE-2026-31996Same product: Openclaw Openclaw
CVE-2026-29607Same product: Openclaw Openclaw
CVE-2026-32034Same product: Openclaw Openclaw
CVE-2026-32056Same product: Openclaw Openclaw
CVE-2026-27566Same product: Openclaw Openclaw
CVE-2026-28463Same product: Openclaw Openclaw
CVE-2026-32010Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements input validation at the system.run interface to detect and block shell line-continuation injections that bypass the command allowlist.

prevent

Restricts command inputs to an allowlist with proper validation criteria, preventing execution of non-allowlisted commands via shell tricks.

prevent

Mandates timely patching of the specific allowlist bypass flaw in OpenClaw system.run as identified in the advisory.

References