OpenClaw Gateway Arbitrary Code Execution Vulnerability via Unsafe Hook Module Path Handling

A vulnerability allowing arbitrary code execution has been identified in OpenClaw Gateway versions 2026.1.5 prior to 2026.2.14. The issue arises because the Gateway does not adequately restrict configured hook module paths before passing them to dynamic import(). This flaw enables an attacker with the ability to modify gateway configuration to load and execute unintended local modules within the Node.js process.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution in the OpenClaw Gateway Node.js process.

Reproduction

To reproduce this vulnerability, configure a hook mapping in the OpenClaw Gateway with a transform module path that traverses outside the intended directory. This can be done by setting the 'transform.module' value to an absolute path or a relative path that escapes the module directory. Once the mapping is applied, the Gateway will dynamically import the specified module, executing any contained code.

Remediation

Users can upgrade to OpenClaw version 2026.2.14 or later to address this vulnerability. It is also recommended to review and sanitize hook module path configurations to ensure they do not point to unsafe or unintended locations.