OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28393.json",
"cwe_ids": [
"CWE-22"
],
"cna_assigner": "VulnCheck"
}