CVE-2026-28472

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28472

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28472.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28472

Aliases

GHSA-rv39-79c4-7459

Published

2026-03-05T22:16:21.017Z

Modified

2026-03-14T15:05:55.139171Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.

References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type

GIT

Repo

https://github.com/openclaw/openclaw

Events

Introduced

Fixed

95cd2210f93d6ab2acc5e29dbad6065294365863

Fixed

fe81b1d7125a014b8280da461f34efbf5f761575

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2026.2.2"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v1.*

v1.0.4

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v2.*

v2.0.0-beta1

v2.0.0-beta2

v2.0.0-beta3

v2.0.0-beta4

v2.0.0-beta5

v2026.*

v2026.1.10

v2026.1.11

v2026.1.11-1

v2026.1.11-2

v2026.1.11-3

v2026.1.12

v2026.1.12-2

v2026.1.13

v2026.1.14-1

v2026.1.15

v2026.1.16-2

v2026.1.20

v2026.1.21

v2026.1.22

v2026.1.23

v2026.1.24

v2026.1.24-1

v2026.1.29

v2026.1.30

v2026.1.5

v2026.1.5-1

v2026.1.5-2

v2026.1.5-3

v2026.1.8

v2026.1.9

v2026.2.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28472.json"