Description
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.
Published: 2026-03-05
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.14 have a path traversal flaw in the hook transform module loader that lets an attacker provide an absolute path or traversal string via the hooks.mappings[].transform.module parameter, causing the gateway process to import and execute arbitrary JavaScript code. This results in the execution of attacker‑supplied code with gateway‑level privileges, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability affects the OpenClaw product, specifically all beta releases of version 2.0.0 (beta3, beta4, beta5) before the 2026.2.14 patch. The affected builds are listed in the CPE data as OpenClaw 2.0.0-beta3 through beta5 on a Node.js environment.

Risk and Exploitability

The CVSS score is 8.3, indicating high severity, while the EPSS score is below 1%, suggesting a low probability of exploitation. The vulnerability is not in the CISA KEV catalog. The attack does not require remote network access; it is inferred that an attacker needs configuration write access or a pathway to modify the hooks.mappings[].transform.module value, which could arise from local privilege or misconfigured system access. Once the attacker supplies a crafted module path, the gateway process will load and execute it, achieving remote code execution on the host.

Generated by OpenCVE AI on April 16, 2026 at 04:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.14 or later to eliminate the path traversal and module loading flaw.
  • If an immediate upgrade is not feasible, restrict filesystem permissions so that only trusted users can write the OpenClaw configuration files, preventing injection of malicious module paths.
  • Implement input validation or a whitelist for hooks.mappings[].transform.module to allow only relative, safe paths and block any absolute or traversal sequences.

Generated by OpenCVE AI on April 16, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7xhj-55q9-pc3m OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
History

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-427

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
CPEs cpe:2.3:a:openclaw:openclaw:2.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:openclaw:openclaw:2.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:openclaw:openclaw:2.0.0:beta5:*:*:*:node.js:*:*

Fri, 06 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.
Title OpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path Traversal
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-427
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-11T13:33:46.364Z

Reserved: 2026-02-27T15:13:52.373Z

Link: CVE-2026-28393

cve-icon Vulnrichment

Updated: 2026-03-11T13:32:55.368Z

cve-icon NVD

Status : Modified

Published: 2026-03-05T22:16:15.767

Modified: 2026-03-11T05:17:59.770

Link: CVE-2026-28393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:45:16Z

Weaknesses