Critical Flaws Discovered in OpenClaw AI Platform Could Allow Remote Command Execution and Identity Spoofing

Aegiron 19 mins0

OpenClaw Multiple Critical Vulnerabilities

Product: OpenClaw AI Automation Platform
Affected Components: Core Engine, Gateway Service, Telegram Webhook Integration, Nextcloud Talk Plugin, Voice-Call Plugin
Severity: Critical
Impact: Unauthorized command execution, authentication bypass, identity spoofing, sensitive data exposure, automation abuse
Affected Deployments: Local installations, developer workstations, automation servers, and environments where OpenClaw is connected to messaging platforms or automation pipelines.

A set of critical security flaws has been identified in different OpenClaw components. The issues stem primarily from improper input validation, identity verification weaknesses, unsafe command handling, and insufficient authentication checks in external integrations.

OpenClaw is commonly configured to execute automation tasks and system commands on behalf of users. Because of this design, vulnerabilities in the platform may allow attackers to trigger actions that normally require trusted approval.

Under certain conditions, attackers may exploit these weaknesses to:

  • Execute commands on the host machine
  • Bypass allowlist protections
  • Trigger automation through messaging platforms
  • Impersonate trusted identities
  • Force sensitive files into source control repositories

In many environments OpenClaw is deployed with developer-level permissions or elevated privileges, which increases the potential impact if these vulnerabilities are abused.

Vulnerability Summary

VulnerabilityCVECVSS ScoreSeverityExploitabilityExploit Availability
Git Pre-Commit Hook Option InjectionCVE-2026-284849.8CriticalHighPublic technical details available
Nextcloud Talk Display Name Allowlist BypassCVE-2026-284749.1CriticalMediumNo confirmed exploit code
WebSocket Handshake Identity Validation BypassCVE-2026-284729.6CriticalHighProof-of-concept reported
Command Execution Allowlist BypassCVE-2026-284709.8CriticalHighExploit concept publicly discussed
Gateway Approval Field InjectionCVE-2026-284669.3CriticalMediumNo confirmed exploit code
Telegram Webhook Authentication BypassCVE-2026-284549.4CriticalHighEasy exploitation possible
Voice-Call Plugin Caller ID Allowlist BypassCVE-2026-284469.0CriticalMediumNo confirmed exploit code

CVE-2026-28484 – Git Pre-Commit Hook Option Injection

Description

A flaw exists in the Git pre-commit hook implementation used by OpenClaw repositories. The hook attempts to process files staged for commit and forwards filenames directly to Git commands without properly separating command arguments from file paths.

Because filenames are interpreted as command parameters when they begin with dash characters, specially crafted filenames may be processed as Git options rather than file names.

As a result, files that were intentionally excluded through .gitignore rules may be forced into the staging area and committed to the repository.

Sensitive files commonly affected include:

  • .env configuration files
  • credential storage files
  • API tokens
  • SSH private keys
  • configuration secrets used in automation scripts

Impact

If exploited, sensitive information may be unintentionally committed to a repository and potentially exposed to collaborators or public repositories.

Once secrets enter Git history they remain retrievable even if removed later.

In automation environments this may lead to:

  • credential theft
  • supply chain compromise
  • API abuse
  • unauthorized access to infrastructure

MITRE ATT&CK Mapping

T1552 – Unsecured Credentials
T1565 – Data Manipulation
T1059 – Command Execution

Exploitation Scenario

An attacker with access to the repository workspace may create a file whose name begins with characters interpreted by Git as command flags.

When the pre-commit hook runs, the crafted filename alters how the Git command processes files. This may force Git to stage files that were previously ignored by configuration rules.

Example educational demonstration:

touch "--all"

When processed by the hook, the filename may be interpreted as a Git option.

Proof of Concept (Educational)

touch "--force-add"
git add .
git commit -m "test"

In vulnerable environments the hook may process the argument as a Git option rather than a filename.

Detection

Log Sources

  • Git audit logs
  • repository activity logs
  • CI/CD pipeline logs
  • version control commit history

Indicators of Compromise

  • unexpected commits containing sensitive files
  • filenames beginning with dash characters
  • commits including .env, .key, .pem, .config files

Detection Queries

Splunk

index=git_logs action=commit
| search filename="-*"

Elastic / KQL

git.file.name : "-*"

LogQL

{job="git"} |= "commit" |= "-"

Remediation

Pre-commit hook logic has been updated to ensure file names are properly escaped and passed to Git commands using argument separation.

Official Patch / Upgrade

https://github.com/openclaw/openclaw/releases

CVE-2026-28474 – Nextcloud Talk Plugin Allowlist Bypass

Description

The Nextcloud Talk integration plugin uses the display name attribute of a user account to determine whether a sender is trusted.

Display names within Nextcloud are editable by the user. Because the plugin does not validate immutable identifiers such as the account UUID or internal user ID, a user may change their display name to match an allowlisted identity.

Once the name matches the allowlist entry, the plugin incorrectly assumes the message originates from a trusted source.

Impact

Automation tasks that are restricted to trusted users may be triggered by unauthorized individuals.

Potential outcomes include:

  • execution of automation scripts
  • modification of automation workflows
  • unauthorized triggering of system commands

MITRE ATT&CK Mapping

T1036 – Masquerading
T1078 – Valid Accounts

Exploitation Scenario

An attacker changes their Nextcloud display name to match a trusted user that appears in the plugin allowlist.

Messages sent from the attacker account are then interpreted as coming from the trusted identity.

Proof of Concept (Educational)

Steps demonstrating the issue:

  1. Modify Nextcloud display name to match trusted user.
  2. Send automation trigger message in Talk chat.
  3. Plugin processes command because name matches allowlist.

Detection

Log Sources

  • Nextcloud user management logs
  • Nextcloud Talk message logs
  • OpenClaw plugin interaction logs

Indicators of Compromise

  • duplicate display names appearing simultaneously
  • automation commands triggered by unexpected accounts

Detection Queries

Splunk

index=nextcloud_logs event=display_name_change
| stats count by user,display_name
| where count > 1

Elastic / KQL

event.action:"display_name_change"

LogQL

{app="nextcloud"} |= "display_name"

Remediation

The plugin now validates immutable account identifiers instead of mutable display names.

Official Patch / Upgrade

https://github.com/openclaw/openclaw/releases

CVE-2026-28472 – WebSocket Handshake Identity Validation Bypass

Description

The OpenClaw Gateway service accepts WebSocket connections used for remote control and automation management.

During the handshake process, a token field is checked for presence but the identity associated with that token is not properly validated against trusted device records.

Because of this weakness, a connection may be accepted even when the provided token does not correspond to a registered device.

Impact

Unauthorized clients may establish active sessions with the gateway.

Once connected, an attacker may interact with automation APIs and potentially trigger tasks.

MITRE ATT&CK Mapping

T1078 – Valid Accounts
T1046 – Network Service Discovery

Exploitation Scenario

A WebSocket client may initiate a handshake request containing a placeholder authentication field.

If the gateway only checks the existence of the field rather than validating its contents, the connection may be accepted.

Proof of Concept (Educational)

Example handshake request:

GET /gateway/connect HTTP/1.1
Upgrade: websocket
Authorization: token-placeholder

If identity verification is not enforced, the connection may succeed.

Detection

Log Sources

  • Gateway service logs
  • WebSocket connection logs
  • API authentication logs

Indicators of Compromise

  • WebSocket sessions without paired device records
  • repeated connection attempts from unknown IP addresses

Detection Queries

Splunk

index=openclaw_gateway event=websocket_connection
| search device_id="unknown"

Elastic / KQL

event.dataset : "gateway.websocket"
and device.id : null

LogQL

{service="gateway"} |= "websocket" |= "unknown"

Remediation

Authentication validation has been updated to require verified device identity during WebSocket handshake.

Official Patch / Upgrade

https://github.com/openclaw/openclaw/releases

CVE-2026-28470 – Command Execution Allowlist Bypass

Description

OpenClaw contains a command approval system designed to allow only predefined commands to run automatically.

However, the command parser fails to properly sanitize shell substitution syntax embedded within quoted command arguments.

Because command substitution is evaluated by the shell, additional commands may be executed outside the defined allowlist.

Impact

Attackers may run arbitrary commands on the host system.

Possible outcomes include:

  • installation of malicious software
  • data exfiltration
  • persistence creation

MITRE ATT&CK Mapping

T1059 – Command and Scripting Interpreter
T1203 – Exploitation for Client Execution

Exploitation Scenario

A command allowed by the system may contain embedded substitution syntax.

When executed by the shell, the substitution expression runs before the command.

Proof of Concept (Educational)

echo "test $(whoami)"

In vulnerable configurations the whoami command may execute despite not being present in the allowlist.

Detection

Log Sources

  • OpenClaw execution logs
  • system shell history
  • endpoint process monitoring

Indicators of Compromise

  • commands containing $( syntax
  • commands containing backtick execution

Detection Queries

Splunk

index=openclaw_exec_logs
| search command="*$(*)*" OR command="*`*`*"

Elastic / KQL

process.command_line : "*$(*"

LogQL

{job="openclaw"} |= "$("

Remediation

Command parsing has been hardened and shell substitution characters are now sanitized before execution.

Official Patch / Upgrade

https://github.com/openclaw/openclaw/releases

CVE-2026-28466 – Gateway Approval Field Injection

Description

The gateway component processes approval workflow fields included in API requests.

These fields are intended to be generated internally by the system after a user approves a command.

In vulnerable versions the gateway does not properly verify whether approval parameters originate from trusted internal sources.

An attacker may therefore inject approval values directly into the request payload.

Impact

Commands that normally require approval may execute immediately.

MITRE ATT&CK Mapping

T1548 – Abuse Elevation Control Mechanism
T1059 – Command Execution

Proof of Concept (Educational)

Example API payload demonstrating the concept:

{
 "command":"system_update",
 "approved": true
}

If validation is missing, the system may treat the request as approved.

Detection

Log Sources

  • gateway API logs
  • automation execution logs
  • system audit logs

Indicators of Compromise

  • command executions without prior approval events
  • approval flags appearing directly in API requests

Detection Queries

Splunk

index=openclaw_gateway
| search approved=true
| stats count by user,command

Elastic / KQL

http.request.body : "approved"

LogQL

{service="gateway"} |= "approved"

Remediation

Approval parameters are now generated internally and cannot be supplied through external requests.

Official Patch / Upgrade

https://github.com/openclaw/openclaw/releases

CVE-2026-28454 – Telegram Webhook Authentication Bypass

Description

The Telegram webhook integration processes incoming HTTP POST requests representing Telegram message updates.

In vulnerable versions the endpoint does not verify whether the request originated from Telegram infrastructure or from an authorized webhook source.

Because of this missing validation, any system capable of reaching the webhook endpoint may send crafted update events.

Impact

Automation actions triggered through Telegram messages may be executed without legitimate user interaction.

MITRE ATT&CK Mapping

T1190 – Exploit Public Facing Application
T1078 – Valid Accounts

Proof of Concept (Educational)

Example request:

POST /telegram/webhook
{
 "message":"run backup script"
}

If accepted by the webhook handler, the automation may execute.

Detection

Log Sources

  • HTTP access logs
  • webhook request logs
  • automation execution logs

Indicators of Compromise

  • webhook requests from non-Telegram IP ranges
  • high frequency webhook requests

Detection Queries

Splunk

index=webhook_logs endpoint="/telegram/webhook"
| stats count by src_ip

Elastic / KQL

url.path : "/telegram/webhook"

LogQL

{service="webhook"} |= "telegram"

Remediation

Webhook authentication tokens and source validation have been implemented.

Official Patch / Upgrade

https://github.com/openclaw/openclaw/releases

CVE-2026-28446 – Voice-Call Plugin Caller ID Allowlist Bypass

Description

The voice-call plugin allows certain automation commands to be triggered through phone calls from trusted numbers.

The plugin relies solely on caller ID information to verify whether the caller belongs to an allowlist.

Because caller ID can be spoofed by telephony systems, an attacker may impersonate a trusted number.

Impact

Voice-triggered automation commands may be executed by unauthorized callers.

Examples include:

  • triggering automation workflows
  • initiating remote commands
  • accessing voice assistant functionality

MITRE ATT&CK Mapping

T1036 – Masquerading
T1078 – Valid Accounts

Exploitation Scenario

An attacker uses a telephony service capable of spoofing caller ID and places a call that appears to originate from an allowlisted number.

The plugin processes the request as trusted.

Detection

Log Sources

  • telephony provider logs
  • OpenClaw voice plugin logs
  • automation execution logs

Indicators of Compromise

  • identical caller IDs appearing from different regions
  • unexpected automation triggered by voice channel

Detection Queries

Splunk

index=voice_plugin_logs
| stats count by caller_id,src_ip

Elastic / KQL

event.dataset : "voice_call"

LogQL

{service="voice-plugin"} |= "caller"

Remediation

Additional caller verification mechanisms have been introduced.

Official Patch / Upgrade

https://github.com/openclaw/openclaw/releases

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.