CVE-2026-28484

EUVD-2026-9929
OpenClaw versions prior to 2026.2.15 contain an option injection vulnerability in the git-hooks/pre-commit hook that allows attackers to stage ignored files by creating maliciously-named files beginning with dashes. The hook fails to use a -- separator when piping filenames through xargs to git add, enabling attackers to inject git flags and add sensitive ignored files like .env to git history.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
VulnCheckCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/openclaw/openclaw/commit/b88f37762f5b6d7ec0f589eb761815e466e4ef4b
https://github.com/openclaw/openclaw/commit/ba84b1253967143692166023f9e174c149b6f2ed
https://github.com/openclaw/openclaw/security/advisories/GHSA-mmpf-jwf4-h3qv
https://www.vulncheck.com/advisories/openclaw-option-injection-in-pre-commit-hook-via-malicious-filenames