216.73.217.64

CVE-2026-28472

· Published 05/03/2026 22:16 · Modified 06/03/2026 17:16

Labels: CVE-2026-28472 2026-03-05CVE-2026-28472CWE-306[email protected]

Essential information

Published
05/03/2026 22:16
Modified
06/03/2026 17:16
Author
Creator
CVSS
9.2 CRITICAL (v3) 9.2 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openclaw / openclaw cpe:2.3:a:openclaw:openclaw:<2026.2.2:*:*:*:*:*:*:*

References