CVE-2026-28391 Overview
OpenClaw versions prior to 2026.2.2 contain a critical command injection vulnerability due to improper validation of Windows cmd.exe metacharacters in allowlist-gated exec requests. Remote attackers can exploit this flaw by crafting command strings containing shell metacharacters such as & or %...% to bypass command approval restrictions and execute unapproved commands beyond the allowlisted operations.
Critical Impact
Remote attackers can bypass security controls and execute arbitrary commands on affected Windows systems, potentially leading to complete system compromise without authentication.
Affected Products
- OpenClaw versions prior to 2026.2.2
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28391 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28391
Vulnerability Analysis
This vulnerability stems from CWE-184 (Incomplete List of Disallowed Inputs), where the allowlist enforcement mechanism fails to account for Windows-specific command shell metacharacters. The exec approval system was designed to restrict command execution to a predefined set of safe operations, but the validation logic did not properly sanitize Windows cmd.exe special characters that can be used to chain or inject additional commands.
When processing exec requests on Windows systems, the application parses command strings through an allowlist validator. However, this validator was not platform-aware and did not block Windows-specific metacharacters like & (command chaining), | (piping), ^ (escape character), % (environment variable expansion), and ! (delayed expansion). An attacker could construct a command that appears to match an allowlisted operation but contains hidden metacharacters that execute additional malicious commands when processed by cmd.exe.
Root Cause
The root cause is an incomplete blocklist implementation in the exec approval validation logic. The original code defined DISALLOWED_PIPELINE_TOKENS to block certain shell metacharacters, but this list was Unix-centric and did not include Windows-specific tokens. The validation code lacked platform awareness, meaning it applied the same sanitization rules regardless of whether the target system was running Windows or a Unix-like operating system.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can submit a crafted exec request that includes Windows metacharacters embedded within what appears to be an allowlisted command. For example, a request might use the & character to append an unauthorized command after an approved one, or use %VARIABLE% syntax to inject environment variable content. Since the validator does not strip or reject these characters, the full command string passes validation but executes multiple operations when processed by the Windows shell.
The security patch introduces platform-aware validation by adding a WINDOWS_UNSUPPORTED_TOKENS set and passing the platform information to the allowlist evaluation function:
const DISALLOWED_PIPELINE_TOKENS = new Set([">", "<", "`", "\n", "\r", "(", ")"]);
const DOUBLE_QUOTE_ESCAPES = new Set(["\\", '"', "$", "`", "\n", "\r"]);
+const WINDOWS_UNSUPPORTED_TOKENS = new Set([
+ "&",
+ "|",
+ "<",
+ ">",
+ "^",
+ "(",
+ ")",
+ "%",
+ "!",
+ "\n",
+ "\r",
+]);
Source: GitHub Commit Update
The patch also modifies the bash-tools exec handler to pass platform information to the allowlist evaluator:
safeBins: new Set(),
cwd: workdir,
env,
+ platform: nodeInfo?.platform,
});
let analysisOk = baseAllowlistEval.analysisOk;
let allowlistSatisfied = false;
Source: GitHub Commit Update
Detection Methods for CVE-2026-28391
Indicators of Compromise
- Exec requests containing Windows metacharacters (&, |, ^, %, !) in command strings
- Unexpected command execution patterns on Windows systems running OpenClaw
- Process creation events showing chained commands from OpenClaw-related processes
Detection Strategies
- Monitor exec request logs for command strings containing Windows shell metacharacters
- Implement behavioral detection rules for unusual child process spawning from OpenClaw processes
- Analyze network traffic for exec API requests with suspicious command patterns
Monitoring Recommendations
- Enable verbose logging for all exec requests processed by OpenClaw
- Configure SIEM alerts for command injection pattern matches in application logs
- Deploy endpoint detection to monitor cmd.exe process trees originating from OpenClaw
How to Mitigate CVE-2026-28391
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.2 or later immediately
- Review recent exec request logs for potential exploitation attempts
- Consider temporarily disabling allowlist-gated exec functionality until patching is complete
Patch Information
The vulnerability is addressed in OpenClaw version 2026.2.2. The fix introduces platform-aware validation by adding a comprehensive set of Windows-specific tokens to the blocklist and modifying the allowlist evaluation to consider the target platform. For technical details on the patch implementation, see the GitHub Commit Update and the GitHub Security Advisory GHSA-qj77-c3c8-9c3q.
Workarounds
- Implement network-level filtering to reject exec requests containing Windows metacharacters
- Restrict access to the exec API endpoint to trusted networks only
- Deploy a web application firewall (WAF) with rules to detect command injection patterns
# Example: Block metacharacters at network level (if using nginx)
location /api/exec {
if ($request_body ~* "[&|^%!]") {
return 403;
}
proxy_pass http://openclaw_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
