CVE-2026-28484

OpenClaw · Multiple Products

OpenClaw contains an option injection vulnerability in the pre-commit hook that allows attackers to inject Git flags and add sensitive ignored files to the repository history.

Executive summary

An option injection vulnerability in OpenClaw pre-commit hooks allows unauthorized actors to exfiltrate sensitive files, posing a critical risk to repository integrity.

Vulnerability

The vulnerability exists in the git-hooks/pre-commit hook where improper handling of filenames allows for option injection. An unauthenticated attacker can create files with malicious names starting with dashes, which are then passed to git add without proper separator delimitation, allowing arbitrary flag injection.

Business impact

The ability to force the inclusion of sensitive files, such as .env files containing API keys or credentials, into version control systems can lead to catastrophic data breaches. Given the CVSS score of 9.8, this flaw represents a critical threat to organizational security, potentially exposing intellectual property and production secrets to unauthorized parties with access to the repository.

Remediation

Immediate Action: Upgrade all instances of OpenClaw to version 2026.2.15 or later immediately.

Proactive Monitoring: Audit existing Git repository histories for the presence of sensitive files that should have been ignored.

Compensating Controls: Implement strict file naming policies and repository scanning tools (e.g., secret scanners) to detect and block the commit of sensitive configuration files.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability presents a severe risk to the confidentiality of development environments. Administrators must prioritize the update to version 2026.2.15 to prevent unauthorized exposure of sensitive environment variables and credentials.