Home / Vulnerability Intelligence / CVE-2026-28472

CVE-2026-28472 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

OpenClaw - Authentication Bypass

Published: March 5, 2026Updated: March 5, 2026Remote Exploitable

Overview

OpenClaw < 2026.2.2 contains an authentication bypass caused by skipping device identity checks when auth.token is present but not validated in the gateway WebSocket connect handshake, letting attackers gain operator access without device identity or pairing.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can gain operator access without device identity or pairing, potentially controlling the gateway.

Mitigation

Update to version 2026.2.2 or later.

References

https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575
https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459
https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28472
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: new

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H