CVE-2026-28466: OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
(updated )
A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into node.invoke parameters.
References
- github.com/advisories/GHSA-gv46-4xfq-jv58
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c398692afcd
- github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c65e2d
- github.com/openclaw/openclaw/commit/a7af646fdab124a7536998db6bd6ad567d2b06b0
- github.com/openclaw/openclaw/commit/c1594627421f95b6bc4ad7c606657dc75b5ad0ce
- github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58
- nvd.nist.gov/vuln/detail/CVE-2026-28466
- www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-invoke-approval-bypass
Code Behaviors & Features
Detect and mitigate CVE-2026-28466 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →