CVE-2026-28472
HIGHOpenClaw < 2026.2.2 - Unauthenticated Device Identity Check Bypass via Gateway WebSocket Connect Handshake
Title source: llmDescription
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake
Scores
CVSS v3
8.1
EPSS
0.0036
EPSS Percentile
27.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (2)
npm/openclaw
0 - 2026.2.2npm
openclaw/openclaw
< 2026.2.2
Published
Mar 05, 2026
Tracked Since
Mar 06, 2026