Vulnerability Description
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.2 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f76Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459Vendor Advisory
- https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gaThird Party Advisory
FAQ
What is CVE-2026-28472?
CVE-2026-28472 is a vulnerability with a CVSS score of 8.1 (HIGH). OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. ...
How severe is CVE-2026-28472?
CVE-2026-28472 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28472?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.