OpenClaw RCE: Hook, Line, and Sinker
Vulnerability ID: GHSA-V6C6-VQQG-W888
CVSS Score: 9.1
Published: 2026-02-18
OpenClaw, a personal AI assistant framework, shipped with a critical oversight in its Gateway component. By prioritizing flexibility over security, the developers allowed the application's hook system to dynamically import JavaScript modules based on user-supplied configuration paths. This effectively turned the 'transform' feature into a gateway for Remote Code Execution (RCE), allowing attackers with configuration access to load arbitrary code from the filesystem.
TL;DR
OpenClaw's Gateway allowed dynamic loading of JS modules via configuration without path validation. Attackers can point the module parameter to any file on disk, leading to RCE. Fixed in v2026.2.14.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-73 / CWE-94
- Attack Vector: Network (Configuration API)
- CVSS: 9.1 (Critical)
- Impact: Remote Code Execution (RCE)
- Exploit Status: PoC Available (Patch Tests)
- Platform: Node.js / TypeScript
Affected Systems
- OpenClaw Gateway
-
OpenClaw: < 2026.2.14 (Fixed in:
2026.2.14)
Code Analysis
Commit: 35c0e66
harden hooks module loading
+ import { SafeRelativeModulePathSchema } from './schema';
Commit: a0361b8
restrict hook transform module loading
+ if (!isSafeRelativeModulePath(module)) throw new Error('Unsafe path');
Exploit Details
- Internal Test Suite: PoC derived from unit tests added in the patch commit.
Mitigation Strategies
- Input Validation
- Path Sanitization
- Principle of Least Privilege
- Network Segmentation
Remediation Steps:
- Upgrade OpenClaw to version v2026.2.14 or later.
- Audit existing Gateway configurations for suspicious 'transform.module' paths.
- Restrict network access to the Gateway management API.
- Ensure the file system user running OpenClaw has minimal write permissions.
References
Read the full report for GHSA-V6C6-VQQG-W888 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)