CVE-2026-28363

EPSS 0.5%
Veröffentlicht 27.02.2026 03:17:37
Zuletzt bearbeitet 27.02.2026 19:13:57
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenClaw ≫ OpenClaw SwPlatformnode.js Version < 2026.2.23

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.5%	0.385

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cve@mitre.org	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-28363

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28363

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28363

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28363