{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28463", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-27T19:18:27.709Z", "datePublished": "2026-03-05T21:59:39.605Z", "dateUpdated": "2026-04-21T02:43:28.827Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T13:05:24.313Z"}, "title": "OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist", "datePublic": "2026-02-15T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "affected": [{"vendor": "OpenClaw", "product": "OpenClaw", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.2.14", "versionType": "custom"}], "defaultStatus": "unaffected", "packageURL": "pkg:npm/openclaw"}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.14"}]}]}], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.<br></p>"}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp", "name": "GitHub Security Advisory (GHSA-xvhf-x56f-2hpp)", "tags": ["vendor-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-shell-expansion-in-safe-bins-allowlist", "name": "VulnCheck Advisory: OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:48:13.456766Z", "id": "CVE-2026-28463", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T02:43:28.827Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28463", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T17:48:13.456766Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:48:31.457Z"}}], "cna": {"title": "OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenClaw", "product": "OpenClaw", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.2.14", "versionType": "custom"}], "packageURL": "pkg:npm/openclaw", "defaultStatus": "unaffected"}], "datePublic": "2026-02-15T00:00:00.000Z", "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp", "name": "GitHub Security Advisory (GHSA-xvhf-x56f-2hpp)", "tags": ["vendor-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-shell-expansion-in-safe-bins-allowlist", "name": "VulnCheck Advisory: OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.", "supportingMedia": [{"type": "text/html", "value": "<p>OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "vulnerable": true, "versionEndExcluding": "2026.2.14"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T13:05:24.313Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28463", "state": "PUBLISHED", "dateUpdated": "2026-04-21T02:43:28.827Z", "dateReserved": "2026-02-27T19:18:27.709Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-05T21:59:39.605Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0F3079A3-9FBD-4E87-821D-5CAF0622C555", "versionEndExcluding": "2026.2.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode."}, {"lang": "es", "value": "La validaci\u00f3n de la lista de permitidos de aprobaciones de ejecuci\u00f3n de OpenClaw comprueba los tokens argv pre-expansi\u00f3n, pero la ejecuci\u00f3n utiliza la expansi\u00f3n real del shell, permitiendo que binarios seguros como head, tail o grep lean archivos locales arbitrarios a trav\u00e9s de patrones glob o variables de entorno. Los llamadores autorizados o los ataques de inyecci\u00f3n de prompt pueden exploit esto para divulgar archivos legibles por el proceso de gateway o de nodo cuando la ejecuci\u00f3n del host est\u00e1 habilitada en modo de lista de permitidos."}], "id": "CVE-2026-28463", "lastModified": "2026-04-08T14:16:27.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-05T22:16:19.127", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-shell-expansion-in-safe-bins-allowlist"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.2.14)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenClaw", "source": "cna", "vendor": "OpenClaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-04-15T19:53:58.315493+00:00", "value": {"mitigation_remediation": ["Update to OpenClaw version 2026.2.14 or later to receive the fixed allowlist validation logic.", "Remove or disable host execution in allowlist mode to prevent any shell expansion from being performed by the gateway.", "Enforce strict access controls on the execution of safe binaries so that only trusted users can invoke commands that include glob patterns or environment variables."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "Affected systems include any deployment of OpenClaw running a version older than 2026.2.14. The vulnerability is present in all iterations of OpenClaw prior to the 2026.2.14 release, regardless of platform, as the bug originates in the generic exec\u2011approval mechanism that applies globally.", "description_and_impact": "OpenClaw versions before 2026.2.14 permit an arbitrary file read due to a flaw in the exec-approvals allowlist. The validation step checks each argument before shell expansion, but the subsequent execution performs a real shell expansion, allowing attackers to use glob patterns or environment variables with safe binaries such as head, tail, or grep to read files accessible to the gateway or Node.js process. This flaw is an example of CWE\u201178, which represents a command injection or privilege escalation via uncontrolled use of system shell features.", "risk_and_exploitability": "The CVSS base score of 8.6 classifies this issue as high severity. The EPSS score indicates an exploitation probability of less than 1%, and the vulnerability is not yet listed in CISA's KEV catalog. The attack vector likely requires either elevated privileges that allow execution of safe binaries or an attacker capable of executing prompt\u2011injection attacks to trigger shell expansion, thereby exposing non\u2011secret files that the gateway or Node.js process can read."}}}}, "created": "2026-03-06T15:00:09.649243+00:00", "updated": "2026-04-15T20:00:06.620866+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$openclaw"]}