cbcvebase.
CVE-2026-28472
published 2026-03-05

CVE-2026-28472: OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.36%
27.5th percentile
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.

Affected

2 ranges
VendorProductVersion rangeFixed in
openclawopenclaw< 2026.2.22026.2.2
openclawopenclaw>= 0 < 2026.2.22026.2.2

Detection & IOCsextracted from sources · hover to see the quote

  • Detect WebSocket connect handshake requests to the OpenClaw gateway where auth.token field is present but no device identity or pairing information is provided — this pattern indicates exploitation of the presence-check bypass.
  • Monitor for unexpected operator-level access originating from WebSocket connections that lack valid device identity or pairing credentials on OpenClaw gateway deployments.
  • ·Vulnerability affects OpenClaw versions prior to 2026.2.2 (also known as Moltbot or Clawdbot). Upgrade to 2026.2.2 or later to remediate.
  • ·The flaw is specifically in the gateway WebSocket connect handshake logic: the code checks for the presence of auth.token rather than validating its value, allowing authentication bypass.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.