CVE-2026-28472

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

09 Mar 2026, 20:40

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw
References	~~() https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575 -~~	() https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake -~~	() https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake - Third Party Advisory

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Versiones de OpenClaw anteriores a 2026.2.2 contienen una vulnerabilidad en el handshake de conexión WebSocket del gateway en la que permite omitir las comprobaciones de identidad del dispositivo cuando auth.token está presente pero no validado. Los atacantes pueden conectarse al gateway sin proporcionar identidad del dispositivo o emparejamiento explotando la comprobación de presencia en lugar de la validación, obteniendo potencialmente acceso de operador en implementaciones vulnerables.

06 Mar 2026, 17:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 8.1

05 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 22:16

Updated : 2026-03-09 20:40

NVD link : CVE-2026-28472

Mitre link : CVE-2026-28472

CVE.ORG link : CVE-2026-28472

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-306

Missing Authentication for Critical Function

8.1 /10