Home / Vulnerability Intelligence / CVE-2026-28464

CVE-2026-28464 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

OpenClaw - Authentication Bypass

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.12 contains a timing side-channel vulnerability caused by non-constant-time string comparison in hook token validation, letting remote attackers infer authentication tokens via timing measurements, exploit requires network access to hooks endpoint.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 8.7%(Probability of exploitation in next 30 days)

Impact

Remote attackers can infer authentication tokens, potentially leading to unauthorized access.

Mitigation

Update to version 2026.2.12 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🔴 CVE-2026-28464 - Critical (9.8) OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing s... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28464/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28464
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: new
EPSS: 8.7%
Social Posts: 1

CWE

CWE-208

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

8.7%Probability of exploitation in the next 30 days