¡¾¸´ÏÖ¡¿OpenClawÔ¶³Ì´úÂëÖ´ÐЩ¶´£¨CVE-2026-28466£©
·¢²¼Ê±¼ä 2026-03-13OpenClawƾ½èÆä·á¸»µÄ¹¦ÄܺÍÁé»îÐÔ£¬ÔÚ2026Äê³ÉΪ¿ªÔ´È˹¤ÖÇÄÜ´úÀíÉú̬ϵͳÖеÄÃ÷ÐÇÏîÄ¿¡£×÷Ϊһ¸öÁÄÌì»úÆ÷ÈËÆ½Ì¨£¬OpenClawÔÊÐíÓû§Í¨¹ýWeb½çÃæ»ò¼´Ê±Í¨Ñ¶Æ½Ì¨Ï´ï×ÔÈ»ÓïÑÔÖ¸ÁÍê³ÉÓʼþ¹ÜÀí¡¢ÈÕÀúµ÷¶È¡¢ä¯ÀÀÆ÷×Ô¶¯»¯¡¢Îļþ²Ù×÷ÒÔ¼°shellÃüÁîÖ´ÐеȸßȨÏÞÈÎÎñ¡£
½üÈÕ£¬OpenClawÐÞ¸´ÁËÒ»¸öCVSSÆÀ·ÖΪ9.4µÄÑÏÖØÂ©¶´CVE-2026-28466£¬¸Ã©¶´ÊÇÔÚGatewayת·¢node.invokeÇëÇóʱ£¬Î´¶ÔÓû§´«ÈëµÄ²ÎÊý×öÈκιýÂË£¬µ¼Ö¾¹ýÈÏÖ¤µÄ¿Í»§¶Ë¿ÉÒÔÈÆ¹ýÖ´ÐÐÉóÅú»úÖÆ¡£ÓµÓÐÓÐÐ§Íø¹ØÆ¾Ö¤µÄ¹¥»÷Õß¿ÉÒÔ×¢ÈëÉóÅú¿ØÖÆ×ֶΣ¬ÔÚÁ¬½ÓµÄ½ÚµãÖ÷»úÉÏÖ´ÐÐÈÎÒâÃüÁ³É¹¦ÀûÓý«µ¼ÖÂÍêÈ«¿ØÖƽڵãÖ÷»ú¡£¸ù¾ÝÍøÂç¿Õ¼ä²â»æÒýÇæFOFAµÄÊý¾Ý£¬½ØÖÁ2026Äê3ÔÂ13ÈÕ£¬»¥ÁªÍøÉÏ´æÔÚ116,672¸öDZÔÚµÄÒ×Êܹ¥»÷OpenClawʵÀý¡£
©¶´ÃèÊö
GatewayÊÇOpenClawµÄºËÐÄ·þÎñ£¬¸ºÔð¹ÜÀíËùÓÐÏûϢͨµÀ¡¢»á»°µ÷¶ÈºÍAgent±àÅÅ£¬¶ÔÍâÌṩWebSocket API¡£NodeÊÇÁ¬½Óµ½GatewayµÄÖÕ¶ËÉ豸£¨È磺macOS/iOS/Android Ó¦ÓûòÃüÁîÐнø³Ì£©£¬ÎªÏµÍ³Ìṩ±¾µØÖ´ÐÐÄÜÁ¦£¬°üÀ¨ÔËÐÐShellÃüÁî¡¢²Ù¿Øä¯ÀÀÆ÷¡¢·ÃÎÊÉãÏñÍ·µÈÉ豸¹¦ÄÜ¡£Gatewayͨ¹ýnode.invoke½«Ö´ÐÐÇëÇó·¢Ë͵½Ä¿±êNode£¬NodeÔÚ±¾µØÍê³ÉÖ´Ðк󽫽á¹û»Ø´«¸øGateway£¬Õû¸ö¹ý³Ìͨ¹ýWebSocketµÄÇëÇó-ÏìÓ¦»úÖÆÍê³É¡£
2026.2.14֮ǰ°æ±¾µÄOpenClawÖУ¬GatewayÔÚת·¢node.invokeÇëÇóʱδ¶Ôparams²ÎÊý½øÐйýÂË£¬¾¹ýÉí·ÝÈÏÖ¤µÄÓû§¿ÉÒÔÔÚµ÷ÓòÎÊýÖÐ×¢ÈëapprovedÄÚ²¿¿ØÖÆ×ֶΣ¬ÈƹýNodeÖ÷»úµÄÖ´ÐÐÉóÅú»úÖÆ£¬Í¨¹ýsystem.runÔÚNodeÉÏÖ´ÐÐÈÎÒâshellÃüÁî¡£
Ó°Ïì°æ±¾
OpenClaw<2026.2.14
©¶´ÔÀí
¸Ã©¶´µÄ¸ùÒòÔÚÓÚ´ÓGatewayµ½NodeµÄÕûÌõµ÷ÓÃÁ´Â·ÉÏ£¬¾ùδ¶ÔÓû§¿É¿ØµÄ²ÎÊý×ֶνøÐÐУÑé»ò¹ýÂË¡£
£¨1£©Gateway¶Ë£ºÔÑùת·¢£¬²»¹ýÂËÄÚ²¿×Ö¶Î
GatewayµÄnode.invoke´¦Àíº¯Êý½«¿Í»§¶Ë´«ÈëµÄparamsÖ±½Ó´«µÝ¸ønodeRegistry.invoke()£¬Î´×öÈκÎ×ֶΰþÀë¡£

£¨2£©Node Registry£ºÐòÁл¯ºóÖ±½Ó·¢ËÍ
params±»ÐòÁл¯ÎªparamsJSONºóÖ±½Óͨ¹ýWebSocket·¢Ë͸øNode£¬Í¬ÑùûÓйýÂË¡£

£¨3£©Node¶Ë£ºÖ±½ÓÐÅÈÎparamsÖеÄÉóÅú×Ö¶Î
Node·´ÐòÁл¯ºóµÄ²ÎÊýÖаüº¬ÉóÅú¿ØÖÆ×ֶΣ¬ÉóÅúÅжÏÂß¼Ö±½Ó¶ÁÈ¡¸Ã×Ö¶ÎÇÒÎÞÈκÎÀ´Ô´ÑéÖ¤¡£µ±¸Ã×ֶα»ÉèΪͨ¹ý״̬ʱ£¬ÉóÅú¼ì²éºÍ°×Ãûµ¥Ð£Ñé¾ù±»Ìø¹ý£¬ÃüÁîÖ±½ÓÖ´ÐУ¬Óû§²»»á¿´µ½ÈκÎÉóÅúÌáʾ¡£

©¶´Î£º¦
¸Ã©¶´ÔÊÐíÈκξ¹ýGatewayÉí·ÝÈÏÖ¤µÄÓû§ÔÚδ¾NodeÖ÷»úËùÓÐÕßÅú×¼µÄÇé¿öÏ£¬Ô¶³ÌÖ´ÐÐÈÎÒâShellÃüÁî¡£¹¥»÷Õ߿ɽè´Ë£º
? ÍêÈ«¿ØÖÆNodeÉ豸£º¶ÁÈ¡¡¢´Û¸Ä»òɾ³ý Node Ö÷»úÉϵÄÈÎÒâÎļþ¡£
? ÇÔÈ¡Ãô¸ÐÊý¾Ý£º»ñÈ¡NodeÉ豸ÉÏµÄÆ¾¾Ý¡¢ÃÜÔ¿¡¢Òþ˽ÎļþµÈ¡£
? ºáÏòÒÆ¶¯£ºÒÔNodeÖ÷»úÎªÌø°å£¬½øÒ»²½ÉøÍ¸ËùÔÚÍøÂçµÄÆäËûϵͳ¡£
? ³Ö¾Ã»¯×¤Áô£ºÖ²ÈëºóÃųÌÐò»ò¶¨Ê±ÈÎÎñ£¬Î¬³Ö¶ÔNodeÉ豸µÄ³¤ÆÚ·ÃÎÊ¡£
©¶´¸´ÏÖ

°²È«½¨Òé
£¨1£©Á¢¼´Éý¼¶
OpenClaw¹Ù·½ÒÑ·¢²¼°²È«Í¨¸æ²¢·¢²¼ÁËÐÞ¸´°æ±¾£¬Ç뾡¿ìÉý¼¶ÖÁ×îа汾¡£
£¨2£©ÁÙʱ»º½â´ëÊ©
? È·ÈÏGatewayδ±©Â¶µ½¹«Íø£ºGatewayĬÈϽö¼àÌý±¾»ú£¨127.0.0.1£©£¬È·ÈÏÆô¶¯²ÎÊýÖÐδʹÓý«¶Ë¿Ú±©Â¶ÖÁÍâ²¿ÍøÂçµÄÅäÖá£
? Éó²éÀúÊ·Ö´ÐмǼ£ºÅŲéNodeÖ÷»úÉÏÊÇ·ñ´æÔÚÒì³£µÄsystem.runµ÷Óã¬ÖØµã¹Ø×¢Î´¾Õý³£ÉóÅúÁ÷³Ì¡¢Ö±½ÓЯ´øapproved: trueµÄÇëÇó¡£
? ×îСȨÏÞÔËÐУºÒÔ×îµÍ±ØÒªÈ¨ÏÞÔËÐÐNode½ø³Ì£¬±ÜÃâʹÓÃroot»ò¹ÜÀíÔ±ÕË»§£¬½µµÍÃüÁîÖ´ÐкóµÄÓ°Ï췶Χ¡£
½ØÖÁĿǰ£¬OpenClawÏîÄ¿ÖÐÒÑÀۼƷ¢ÏÖ283¸ö°²È«Â©¶´¡£±¾ÎÄ·ÖÎöµÄÉóÅúÈÆ¹ý©¶´ÊÇÒ»¸öµäÐͰ¸Àý£º¹¦ÄÜÂß¼ÍêÕû£¬µ«Î´ÑéÖ¤"ÉóÅú½á¹ûÊÇ·ñÕæÊµÀ´×ÔÓû§"¡£ÕâÒ²·´Ó³ÁËAI AgentÔÚ°²È«Éè¼ÆÉÏ´æÔڶ̰壺ϵͳÍùÍùÇãÏòÓÚÐÅÈÎÊäÈ룬ÓÅÏÈʵÏÖ¹¦ÄܶøºöÊÓÁ˱߽çÌõ¼þºÍ°²È«Ð£Ñé¡£ÌØ±ðÊÇÔÚÉæ¼°È¨ÏÞУÑé¡¢ÐÅÈα߽çµÈ°²È«¹Ø¼ü·¾¶Ê±£¬ºöÊÓÕâЩϸ½Ú¿ÉÄÜ´øÀ´ÑÏÖØµÄ°²È«·çÏÕ¡£Òò´Ë£¬Óû§ÔÚʹÓÃAI AgentʱӦ±£³ÖÉóÉ÷£¬È·±£¶ÔDZÔڵݲȫÍþвºÍ©¶´½øÐгä·ÖµÄʶ±ðÓë·À·¶¡£
²Î¿¼Á´½Ó£º
[1]https://github.com/advisories/GHSA-gv46-4xfq-jv58
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-28466


¾©¹«Íø°²±¸11010802024551ºÅ