Cyber Resilience

CVE-2026-28470

CriticalPublic PoCRCE

Published: 05 March 2026

Published
05 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28470 is a critical-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28470, published on 2026-03-05, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in OpenClaw versions prior to 2026.2.2. It manifests as an exec approvals allowlist bypass, which requires the feature to be enabled, enabling attackers to execute arbitrary commands through command substitution syntax. Specifically, attackers can embed unescaped $() constructs or backticks inside double-quoted strings to circumvent the allowlist protections. The issue is categorized under CWE-78 (OS Command Injection).

The vulnerability is exploitable by unauthenticated remote attackers requiring no user interaction and low attack complexity. Exploitation allows bypassing the exec approvals mechanism to run unauthorized commands on the affected system, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation guidance from advisories, including the GitHub security advisory (GHSA-3hcm-ggvf-rch5) and Vulncheck, points to upgrading to OpenClaw 2026.2.2. The fixing commit (d1ecb46076145deb188abcba8f0699709ea17198) on the OpenClaw GitHub repository addresses the bypass by properly handling command substitution in double-quoted strings.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside…

more

double-quoted strings to execute unauthorized commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Unauthenticated remote OS command injection (CWE-78) in a public-facing application enables exploitation of public-facing apps (T1190) to achieve arbitrary remote command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29607Same product: Openclaw Openclaw
CVE-2026-28460Same product: Openclaw Openclaw
CVE-2026-32003Same product: Openclaw Openclaw
CVE-2026-22179Same product: Openclaw Openclaw
CVE-2026-32034Same product: Openclaw Openclaw
CVE-2026-32917Same product: Openclaw Openclaw
CVE-2026-28391Same product: Openclaw Openclaw
CVE-2026-28454Same product: Openclaw Openclaw
CVE-2026-22176Same product: Openclaw Openclaw
CVE-2026-32000Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrading to OpenClaw 2026.2.2, which fixes the exec approvals allowlist bypass.

prevent

Requires validation of inputs to the exec function to reject command substitution syntax like unescaped $() or backticks in double-quoted strings.

prevent

Limits the impact of arbitrary command execution by enforcing least privilege on the vulnerable OpenClaw process.

References