¡¾¸´ÏÖ¡¿OpenClawÔ¶³Ì´úÂëÖ´ÐЩ¶´£¨CVE-2026-28466£©

·¢²¼Ê±¼ä 2026-03-13

OpenClawƾ½èÆä·á¸»µÄ¹¦ÄܺÍÁé»îÐÔ £¬ÔÚ2026Äê³ÉΪ¿ªÔ´È˹¤ÖÇÄÜ´úÀíÉú̬ϵͳÖеÄÃ÷ÐÇÏîÄ¿¡£×÷Ϊһ¸öÁÄÌì»úÆ÷ÈËÆ½Ì¨ £¬OpenClawÔÊÐíÓû§Í¨¹ýWeb½çÃæ»ò¼´Ê±Í¨Ñ¶Æ½Ì¨Ï´ï×ÔÈ»ÓïÑÔÖ¸Áî £¬Íê³ÉÓʼþ¹ÜÀí¡¢ÈÕÀúµ÷¶È¡¢ä¯ÀÀÆ÷×Ô¶¯»¯¡¢Îļþ²Ù×÷ÒÔ¼°shellÃüÁîÖ´ÐеȸßȨÏÞÈÎÎñ¡£


½üÈÕ £¬OpenClawÐÞ¸´ÁËÒ»¸öCVSSÆÀ·ÖΪ9.4µÄÑÏÖØÂ©¶´CVE-2026-28466 £¬¸Ã©¶´ÊÇÔÚGatewayת·¢node.invokeÇëÇóʱ £¬Î´¶ÔÓû§´«ÈëµÄ²ÎÊý×öÈκιýÂË £¬µ¼Ö¾­¹ýÈÏÖ¤µÄ¿Í»§¶Ë¿ÉÒÔÈÆ¹ýÖ´ÐÐÉóÅú»úÖÆ¡£ÓµÓÐÓÐÐ§Íø¹ØÆ¾Ö¤µÄ¹¥»÷Õß¿ÉÒÔ×¢ÈëÉóÅú¿ØÖÆ×Ö¶Î £¬ÔÚÁ¬½ÓµÄ½ÚµãÖ÷»úÉÏÖ´ÐÐÈÎÒâÃüÁî £¬³É¹¦ÀûÓý«µ¼ÖÂÍêÈ«¿ØÖƽڵãÖ÷»ú¡£¸ù¾ÝÍøÂç¿Õ¼ä²â»æÒýÇæFOFAµÄÊý¾Ý £¬½ØÖÁ2026Äê3ÔÂ13ÈÕ £¬»¥ÁªÍøÉÏ´æÔÚ116,672¸öDZÔÚµÄÒ×Êܹ¥»÷OpenClawʵÀý¡£


©¶´ÃèÊö


GatewayÊÇOpenClawµÄºËÐÄ·þÎñ £¬¸ºÔð¹ÜÀíËùÓÐÏûϢͨµÀ¡¢»á»°µ÷¶ÈºÍAgent±àÅÅ £¬¶ÔÍâÌṩWebSocket API¡£NodeÊÇÁ¬½Óµ½GatewayµÄÖÕ¶ËÉ豸£¨È磺macOS/iOS/Android Ó¦ÓûòÃüÁîÐнø³Ì£© £¬ÎªÏµÍ³Ìṩ±¾µØÖ´ÐÐÄÜÁ¦ £¬°üÀ¨ÔËÐÐShellÃüÁî¡¢²Ù¿Øä¯ÀÀÆ÷¡¢·ÃÎÊÉãÏñÍ·µÈÉ豸¹¦ÄÜ¡£Gatewayͨ¹ýnode.invoke½«Ö´ÐÐÇëÇó·¢Ë͵½Ä¿±êNode £¬NodeÔÚ±¾µØÍê³ÉÖ´Ðк󽫽á¹û»Ø´«¸øGateway £¬Õû¸ö¹ý³Ìͨ¹ýWebSocketµÄÇëÇó-ÏìÓ¦»úÖÆÍê³É¡£


2026.2.14֮ǰ°æ±¾µÄOpenClawÖÐ £¬GatewayÔÚת·¢node.invokeÇëÇóʱδ¶Ôparams²ÎÊý½øÐйýÂË £¬¾­¹ýÉí·ÝÈÏÖ¤µÄÓû§¿ÉÒÔÔÚµ÷ÓòÎÊýÖÐ×¢ÈëapprovedÄÚ²¿¿ØÖÆ×Ö¶Î £¬ÈƹýNodeÖ÷»úµÄÖ´ÐÐÉóÅú»úÖÆ £¬Í¨¹ýsystem.runÔÚNodeÉÏÖ´ÐÐÈÎÒâshellÃüÁî¡£


Ó°Ïì°æ±¾


OpenClaw<2026.2.14


©¶´Ô­Àí



¸Ã©¶´µÄ¸ùÒòÔÚÓÚ´ÓGatewayµ½NodeµÄÕûÌõµ÷ÓÃÁ´Â·ÉÏ £¬¾ùδ¶ÔÓû§¿É¿ØµÄ²ÎÊý×ֶνøÐÐУÑé»ò¹ýÂË¡£


£¨1£©Gateway¶Ë£ºÔ­Ñùת·¢ £¬²»¹ýÂËÄÚ²¿×Ö¶Î


GatewayµÄnode.invoke´¦Àíº¯Êý½«¿Í»§¶Ë´«ÈëµÄparamsÖ±½Ó´«µÝ¸ønodeRegistry.invoke() £¬Î´×öÈκÎ×ֶΰþÀë¡£



ͼƬ1.jpg


£¨2£©Node Registry£ºÐòÁл¯ºóÖ±½Ó·¢ËÍ


params±»ÐòÁл¯ÎªparamsJSONºóÖ±½Óͨ¹ýWebSocket·¢Ë͸øNode £¬Í¬ÑùûÓйýÂË¡£


ͼƬ2.jpg


£¨3£©Node¶Ë£ºÖ±½ÓÐÅÈÎparamsÖеÄÉóÅú×Ö¶Î


Node·´ÐòÁл¯ºóµÄ²ÎÊýÖаüº¬ÉóÅú¿ØÖÆ×Ö¶Î £¬ÉóÅúÅжÏÂß¼­Ö±½Ó¶ÁÈ¡¸Ã×Ö¶ÎÇÒÎÞÈκÎÀ´Ô´ÑéÖ¤¡£µ±¸Ã×ֶα»ÉèΪͨ¹ý״̬ʱ £¬ÉóÅú¼ì²éºÍ°×Ãûµ¥Ð£Ñé¾ù±»Ìø¹ý £¬ÃüÁîÖ±½ÓÖ´ÐÐ £¬Óû§²»»á¿´µ½ÈκÎÉóÅúÌáʾ¡£


ͼƬ3.jpg


©¶´Î£º¦


¸Ã©¶´ÔÊÐíÈκξ­¹ýGatewayÉí·ÝÈÏÖ¤µÄÓû§ÔÚδ¾­NodeÖ÷»úËùÓÐÕßÅú×¼µÄÇé¿öÏ £¬Ô¶³ÌÖ´ÐÐÈÎÒâShellÃüÁî¡£¹¥»÷Õ߿ɽè´Ë£º


    ? ÍêÈ«¿ØÖÆNodeÉ豸£º¶ÁÈ¡¡¢´Û¸Ä»òɾ³ý Node Ö÷»úÉϵÄÈÎÒâÎļþ¡£

    ? ÇÔÈ¡Ãô¸ÐÊý¾Ý£º»ñÈ¡NodeÉ豸ÉÏµÄÆ¾¾Ý¡¢ÃÜÔ¿¡¢Òþ˽ÎļþµÈ¡£

    ? ºáÏòÒÆ¶¯£ºÒÔNodeÖ÷»úÎªÌø°å £¬½øÒ»²½ÉøÍ¸ËùÔÚÍøÂçµÄÆäËûϵͳ¡£

    ? ³Ö¾Ã»¯×¤Áô£ºÖ²ÈëºóÃųÌÐò»ò¶¨Ê±ÈÎÎñ £¬Î¬³Ö¶ÔNodeÉ豸µÄ³¤ÆÚ·ÃÎÊ¡£


©¶´¸´ÏÖ


ͼƬ4.jpg


°²È«½¨Òé


£¨1£©Á¢¼´Éý¼¶


OpenClaw¹Ù·½ÒÑ·¢²¼°²È«Í¨¸æ²¢·¢²¼ÁËÐÞ¸´°æ±¾ £¬Ç뾡¿ìÉý¼¶ÖÁ×îа汾¡£


£¨2£©ÁÙʱ»º½â´ëÊ©


    ? È·ÈÏGatewayδ±©Â¶µ½¹«Íø£ºGatewayĬÈϽö¼àÌý±¾»ú£¨127.0.0.1£© £¬È·ÈÏÆô¶¯²ÎÊýÖÐδʹÓý«¶Ë¿Ú±©Â¶ÖÁÍâ²¿ÍøÂçµÄÅäÖá£

    ? Éó²éÀúÊ·Ö´ÐмǼ£ºÅŲéNodeÖ÷»úÉÏÊÇ·ñ´æÔÚÒì³£µÄsystem.runµ÷Óà £¬ÖØµã¹Ø×¢Î´¾­Õý³£ÉóÅúÁ÷³Ì¡¢Ö±½ÓЯ´øapproved: trueµÄÇëÇó¡£

    ? ×îСȨÏÞÔËÐУºÒÔ×îµÍ±ØÒªÈ¨ÏÞÔËÐÐNode½ø³Ì £¬±ÜÃâʹÓÃroot»ò¹ÜÀíÔ±ÕË»§ £¬½µµÍÃüÁîÖ´ÐкóµÄÓ°Ï췶Χ¡£


½ØÖÁĿǰ £¬OpenClawÏîÄ¿ÖÐÒÑÀۼƷ¢ÏÖ283¸ö°²È«Â©¶´¡£±¾ÎÄ·ÖÎöµÄÉóÅúÈÆ¹ý©¶´ÊÇÒ»¸öµäÐͰ¸Àý£º¹¦ÄÜÂß¼­ÍêÕû £¬µ«Î´ÑéÖ¤"ÉóÅú½á¹ûÊÇ·ñÕæÊµÀ´×ÔÓû§"¡£ÕâÒ²·´Ó³ÁËAI AgentÔÚ°²È«Éè¼ÆÉÏ´æÔڶ̰壺ϵͳÍùÍùÇãÏòÓÚÐÅÈÎÊäÈë £¬ÓÅÏÈʵÏÖ¹¦ÄܶøºöÊÓÁ˱߽çÌõ¼þºÍ°²È«Ð£Ñé¡£ÌرðÊÇÔÚÉæ¼°È¨ÏÞУÑé¡¢ÐÅÈα߽çµÈ°²È«¹Ø¼ü·¾¶Ê± £¬ºöÊÓÕâЩϸ½Ú¿ÉÄÜ´øÀ´ÑÏÖØµÄ°²È«·çÏÕ¡£Òò´Ë £¬Óû§ÔÚʹÓÃAI AgentʱӦ±£³ÖÉóÉ÷ £¬È·±£¶ÔDZÔڵݲȫÍþвºÍ©¶´½øÐгä·ÖµÄʶ±ðÓë·À·¶¡£


²Î¿¼Á´½Ó£º

[1]https://github.com/advisories/GHSA-gv46-4xfq-jv58

[2]https://nvd.nist.gov/vuln/detail/CVE-2026-28466