← Volver a CVEs
CVE-2026-28472
HIGH8.1
Descripcion
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.
Detalles CVE
Puntuacion CVSS v3.18.1
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadHIGH
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado3/5/2026
Ultima modificacion3/9/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
openclaw:openclaw
Debilidades (CWE)
CWE-306
Referencias
https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459(disclosure@vulncheck.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.