GHSA-7XHJ-55Q9-PC3M

Vulnerability from github – Published: 2026-03-03 18:09 – Updated: 2026-03-06 01:00
VLAI?
Summary
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
Details

Summary

OpenClaw hook mapping transforms could be loaded via absolute paths or .. traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration.

Affected Versions

  • Affected: >= 2.0.0-beta3 and <= 2026.2.13
  • Fixed: 2026.2.14

Details

hooks.mappings[].transform.module is dynamically imported and executed during webhook processing. Path resolution previously accepted absolute paths and did not enforce containment for relative paths, so a config-controlled transform could resolve outside the intended transforms directory.

Impact

If an attacker can write the OpenClaw config (or otherwise update hooks config through authenticated configuration mechanisms), they could point a hook mapping transform at an arbitrary module on disk and execute code with the gateway process privileges.

Reproduction (config-controlled module load)

  1. Configure a hook mapping that points to a transform path that escapes the transforms directory (for example via .. traversal).
  2. Place a malicious ESM module at the resolved location that executes arbitrary code in the gateway process.
  3. Trigger the hook endpoint with the correct hook token.

Fix

Transform loading is now constrained to the OpenClaw transforms root directory:

  • Root: ~/.openclaw/hooks/transforms
  • hooks.transformsDir must be within that directory
  • transform.module must be within the selected transforms directory

Attempts to escape the root (absolute paths outside, .. traversal) are rejected.

Fix commit(s):

  • a0361b8ba959e8506dc79d638b6e6a00d12887e4
  • 18e8bd68c5015a894f999c6d5e6e32468965bfb5

Credits

OpenClaw thanks @akhmittra for reporting.

Severity ?
6.0 (Medium)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
8.3 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta3"
            },
            {
              "fixed": "2026.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28393"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-427"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T18:09:54Z",
    "nvd_published_at": "2026-03-05T22:16:15Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nOpenClaw hook mapping transforms could be loaded via absolute paths or `..` traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration.\n\n## Affected Versions\n\n- Affected: \u003e= 2.0.0-beta3 and \u003c= 2026.2.13\n- Fixed: 2026.2.14\n\n## Details\n\n`hooks.mappings[].transform.module` is dynamically imported and executed during webhook processing. Path resolution previously accepted absolute paths and did not enforce containment for relative paths, so a config-controlled transform could resolve outside the intended transforms directory.\n\n## Impact\n\nIf an attacker can write the OpenClaw config (or otherwise update hooks config through authenticated configuration mechanisms), they could point a hook mapping transform at an arbitrary module on disk and execute code with the gateway process privileges.\n\n## Reproduction (config-controlled module load)\n\n1. Configure a hook mapping that points to a transform path that escapes the transforms directory (for example via `..` traversal).\n2. Place a malicious ESM module at the resolved location that executes arbitrary code in the gateway process.\n3. Trigger the hook endpoint with the correct hook token.\n\n## Fix\n\nTransform loading is now constrained to the OpenClaw transforms root directory:\n\n- Root: `~/.openclaw/hooks/transforms`\n- `hooks.transformsDir` must be within that directory\n- `transform.module` must be within the selected transforms directory\n\nAttempts to escape the root (absolute paths outside, `..` traversal) are rejected.\n\nFix commit(s):\n\n- a0361b8ba959e8506dc79d638b6e6a00d12887e4\n- 18e8bd68c5015a894f999c6d5e6e32468965bfb5\n\n## Credits\n\nOpenClaw thanks @akhmittra for reporting.",
  "id": "GHSA-7xhj-55q9-pc3m",
  "modified": "2026-03-06T01:00:08Z",
  "published": "2026-03-03T18:09:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28393"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/18e8bd68c5015a894f999c6d5e6e32468965bfb5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-beta-arbitrary-javascript-module-loading-via-hook-transform-path-traversal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s hook transform module path allows traversal and arbitrary JavaScript module loading"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.