CVE-2026-28472
OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.
| CWE | CWE-306 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Mar 5, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new high vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
OpenClaw / OpenClaw
0 < 2026.2.2
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459 github.com: https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake
Credits
๐ Petr Simecek (@simecek) Stanislav Fort, Aisle Research, www.aisle.com