DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28472: CVE-2026-28472: Device Identity Verification Bypass in OpenClaw Gateway WebSocket Handshake

#security #cve #cybersecurity

CVE-2026-28472: Device Identity Verification Bypass in OpenClaw Gateway WebSocket Handshake

Vulnerability ID: CVE-2026-28472
CVSS Score: 8.1
Published: 2026-03-05

CVE-2026-28472 is a critical security vulnerability in the OpenClaw automation platform affecting all versions prior to 2026.2.2. The vulnerability resides in the gateway's WebSocket connection handshake logic, where a flaw in authentication sequence allows unauthenticated attackers to bypass device identity verification. In environments utilizing secondary authentication providers, this can result in unauthorized operator access to the gateway.

TL;DR

A logic flaw in OpenClaw < 2026.2.2 allows attackers to bypass device identity checks during the WebSocket handshake by providing an unvalidated dummy token, potentially leading to unauthorized operator access.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306
  • Attack Vector: Network
  • CVSS v3.1: 8.1 (High)
  • EPSS Score: 0.00041 (12.29%)
  • Impact: Unauthorized Operator Access
  • Exploit Status: Proof of Concept
  • CISA KEV: Not Listed

Affected Systems

  • OpenClaw Gateway server component
  • OpenClaw WebSocket connection handler
  • OpenClaw: < 2026.2.2 (Fixed in: 2026.2.2)

Code Analysis

Commit: fe81b1d

Fix device identity check bypass in gateway WebSocket connect handshake by strictly requiring sharedAuthOk

Mitigation Strategies

  • Upgrade OpenClaw to version 2026.2.2 or higher.
  • Ensure the dangerouslyDisableDeviceAuth setting is set to false in the gateway configuration.
  • Restrict network access to the OpenClaw gateway WebSocket port using firewalls or VPNs.
  • Audit logs for unauthorized connection attempts mentioning device identity failures.

Remediation Steps:

  1. Verify the current running version of OpenClaw.
  2. Download the 2026.2.2 release from the official repository.
  3. Deploy the update to the gateway server.
  4. Restart the OpenClaw gateway service.
  5. Verify that WebSocket connections without valid tokens are correctly rejected before device identity checks are skipped.

References

Read the full report for CVE-2026-28472 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)