CVE-2026-28466 Overview
CVE-2026-28466 is an authorization bypass vulnerability in OpenClaw versions prior to 2026.2.14 that allows authenticated attackers to execute arbitrary commands on connected node hosts. The vulnerability exists in the gateway component, which fails to properly sanitize internal approval fields in node.invoke parameters. This flaw enables attackers with valid gateway credentials to inject approval control fields and bypass exec approval gating for system.run commands, potentially compromising developer workstations and CI runners.
Critical Impact
Authenticated attackers can bypass execution approval controls to achieve remote code execution on all connected node hosts, compromising entire development and CI/CD infrastructure.
Affected Products
- OpenClaw versions prior to 2026.2.14
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28466 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28466
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization), where the gateway component fails to enforce proper authorization checks on critical parameters. The flaw allows authenticated clients to manipulate internal approval control fields that should be exclusively managed by the server-side ExecApprovalManager. When a client sends a node.invoke request with a system.run command, the gateway previously forwarded raw parameters without sanitizing fields used for approval gating. This architectural weakness enables complete bypass of the command execution approval workflow.
The attack surface is network-accessible and requires low-privilege authenticated access to the gateway. Upon successful exploitation, attackers gain the ability to execute arbitrary system commands on any node connected to the compromised gateway, with potential for lateral movement across developer workstations and CI runners.
Root Cause
The root cause is insufficient input sanitization in the gateway's node.invoke parameter handling. Prior to the patch, when processing requests for system.run commands, the gateway did not strip or validate internal approval fields before forwarding parameters to connected nodes. This allowed clients to inject approval bypass fields directly into their requests, circumventing the intended execution approval workflow.
Attack Vector
An attacker with valid gateway credentials crafts a malicious node.invoke request containing a system.run command. By including forged internal approval control fields in the request parameters, the attacker tricks the gateway into treating the command as pre-approved. The unsanitized request is then forwarded to target nodes, where the injected approval fields cause the execution gating to be bypassed, allowing arbitrary command execution.
The patch introduces centralized sanitization through the sanitizeNodeInvokeParamsForForwarding function, which specifically intercepts system.run commands and routes them through sanitizeSystemRunParamsForForwarding to strip any client-supplied approval fields before forwarding:
import type { ExecApprovalManager } from "./exec-approval-manager.js";
import type { GatewayClient } from "./server-methods/types.js";
import { sanitizeSystemRunParamsForForwarding } from "./node-invoke-system-run-approval.js";
export function sanitizeNodeInvokeParamsForForwarding(opts: {
command: string;
rawParams: unknown;
client: GatewayClient | null;
execApprovalManager?: ExecApprovalManager;
}):
| { ok: true; params: unknown }
| { ok: false; message: string; details?: Record<string, unknown> } {
if (opts.command === "system.run") {
return sanitizeSystemRunParamsForForwarding({
rawParams: opts.rawParams,
client: opts.client,
execApprovalManager: opts.execApprovalManager,
});
}
return { ok: true, params: opts.rawParams };
}
Source: OpenClaw Commit Update
Detection Methods for CVE-2026-28466
Indicators of Compromise
- Unusual node.invoke requests containing unexpected approval-related fields in parameters
- Anomalous system.run command executions on nodes without corresponding approval workflow events
- Gateway logs showing system.run invocations from clients that bypass the standard approval flow
- Unexpected process executions on developer workstations or CI runners traced back to OpenClaw node connections
Detection Strategies
- Implement logging and alerting for all node.invoke requests targeting system.run commands
- Monitor for parameter injection patterns in gateway request logs, specifically looking for approval control field manipulation
- Deploy endpoint detection on connected nodes to identify suspicious command execution patterns
- Correlate gateway authentication events with subsequent node command executions to identify unauthorized activity
Monitoring Recommendations
- Enable verbose logging on OpenClaw gateway components to capture full request parameters
- Establish baseline behavioral analytics for system.run command usage across your infrastructure
- Configure real-time alerting for any system.run executions that do not correlate with legitimate approval workflow records
- Monitor network traffic between gateway and nodes for anomalous payload patterns
How to Mitigate CVE-2026-28466
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Audit gateway logs for any suspicious node.invoke requests with system.run commands that may indicate prior exploitation
- Review and rotate gateway credentials as a precautionary measure
- Temporarily restrict network access to the OpenClaw gateway to trusted IP ranges if immediate patching is not possible
Patch Information
The vulnerability is addressed in OpenClaw version 2026.2.14 through multiple commits that introduce centralized parameter sanitization for node.invoke requests. The fix ensures that all system.run commands are processed through sanitizeNodeInvokeParamsForForwarding, which delegates to sanitizeSystemRunParamsForForwarding to strip client-controlled approval fields before forwarding to nodes.
Relevant security patches:
For additional details, see the GitHub Security Advisory GHSA-gv46-4xfq-jv58 and the Vulncheck OpenClaw RCE Advisory.
Workarounds
- Implement network segmentation to limit gateway accessibility to trusted internal networks only
- Disable system.run functionality at the gateway level if not required for operations
- Deploy a web application firewall (WAF) or reverse proxy to filter requests containing suspicious approval-related parameters
- Implement additional authentication requirements for system.run operations as a defense-in-depth measure
# Restrict gateway network access (example using iptables)
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
