CVE-2026-28466
CRITICAL9.9EPSS 0.05%OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
描述
### Summary A remote code execution (RCE) vulnerability in the gateway-to-node invocation path allowed an authenticated gateway client to bypass node-host exec approvals by injecting internal control fields into `node.invoke` parameters. ### Affected Component - Gateway method: `node.invoke` for node command `system.run` - Node host runner: exec approval gating for `system.run` ### Impact If an attacker can authenticate to a gateway (for example via a leaked/shared gateway token or a paired device token with `operator.write`), they could execute arbitrary commands on connected node hosts that support `system.run`. This can lead to full compromise of developer workstations, CI runners, and servers running the node host. ### Technical Details The gateway forwarded user-controlled `params` to node hosts without sanitizing internal approval fields. The node host treated `params.approved === true` and/or `params.approvalDecision` as sufficient to skip the approval workflow. ### Fix Patched in **OpenClaw `2026.2.14`**. - Commits: - `318379cdb8d045da0009b0051bd0e712e5c65e2d` - `a7af646fdab124a7536998db6bd6ad567d2b06b0` - `c1594627421f95b6bc4ad7c606657dc75b5ad0ce` - `0af76f5f0e93540efbdf054895216c398692afcd` - Gateway strips untrusted approval control fields from `system.run` user input. - Gateway only re-attaches approval flags when `params.runId` references a valid `exec.approval.request` record and the request context matches. Approval IDs are bound to the requesting device identity (stable across reconnects), preventing replay by other clients. - Gateway forwards only an allowlisted set of `system.run` parameters, preventing future control-field smuggling. ### Mitigations - Upgrade to `2026.2.14` or later. - Restrict access to the gateway (do not expose it to untrusted networks/users). - Rotate gateway credentials if you suspect token/password exposure. - Disable remote command execution on nodes by blocking `system.run` at the gateway (`gateway.nodes.denyCommands`) and/or by configuring node exec security to `deny`. ### Credits OpenClaw thanks @222n5 for reporting this issue.
受影響套件(1)
- npm/openclawfrom 0, < 2026.2.14
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-28466
- PATCHhttps://github.com/openclaw/openclaw
- WEBhttps://github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c398692afcd
- WEBhttps://github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c65e2d
- WEBhttps://github.com/openclaw/openclaw/commit/a7af646fdab124a7536998db6bd6ad567d2b06b0
- WEBhttps://github.com/openclaw/openclaw/commit/c1594627421f95b6bc4ad7c606657dc75b5ad0ce
- WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58
- WEBhttps://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-invoke-approval-bypass