Missing Authentication for Critical Function in OpenClaw - CVE-2026-28472
Published: May 4, 2026
Vulnerability identifier: #VU129483
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28472
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to bypass device identity checks and gain operator access.
The vulnerability exists due to missing authentication for the gateway WebSocket connect handshake in src/gateway/server/ws-connection/message-handler.ts when processing a connect request with a non-empty auth.token that has not yet been validated. A remote user can send a specially crafted connect request to bypass device identity checks and gain operator access.
Exploitation is possible in deployments where the gateway WebSocket is reachable and connections can be authorized via Tailscale without validating the shared secret.
How to mitigate CVE-2026-28472
Install security update from vendor's website.