CVE-2026-28470
Published: 05 March 2026
Summary
CVE-2026-28470 is a critical-severity OS Command Injection (CWE-78) vulnerability in Openclaw Openclaw. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through upgrading to OpenClaw 2026.2.2, which fixes the exec approvals allowlist bypass.
Requires validation of inputs to the exec function to reject command substitution syntax like unescaped $() or backticks in double-quoted strings.
Limits the impact of arbitrary command execution by enforcing least privilege on the vulnerable OpenClaw process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection (CWE-78) in a public-facing application enables exploitation of public-facing apps (T1190) to achieve arbitrary remote command execution (T1059).
NVD Description
OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside…
more
double-quoted strings to execute unauthorized commands.
Deeper analysisAI
CVE-2026-28470, published on 2026-03-05, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in OpenClaw versions prior to 2026.2.2. It manifests as an exec approvals allowlist bypass, which requires the feature to be enabled, enabling attackers to execute arbitrary commands through command substitution syntax. Specifically, attackers can embed unescaped $() constructs or backticks inside double-quoted strings to circumvent the allowlist protections. The issue is categorized under CWE-78 (OS Command Injection).
The vulnerability is exploitable by unauthenticated remote attackers requiring no user interaction and low attack complexity. Exploitation allows bypassing the exec approvals mechanism to run unauthorized commands on the affected system, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation guidance from advisories, including the GitHub security advisory (GHSA-3hcm-ggvf-rch5) and Vulncheck, points to upgrading to OpenClaw 2026.2.2. The fixing commit (d1ecb46076145deb188abcba8f0699709ea17198) on the OpenClaw GitHub repository addresses the bypass by properly handling command substitution in double-quoted strings.
Details
- CWE(s)