PT-2026-22356 · Npm · Openclaw
Publicado
2026-02-17
·
Atualizado
2026-02-17
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
The gateway WebSocket
connect handshake could allow skipping device identity checks when auth.token was present but not yet validated.Details
In
src/gateway/server/ws-connection/message-handler.ts, the device-identity requirement could be bypassed based on the presence of a non-empty connectParams.auth.token rather than a validated shared-secret authentication result.Impact
In deployments where the gateway WebSocket is reachable and connections can be authorized via Tailscale without validating the shared secret, a client could connect without providing device identity/pairing. Depending on version and configuration, this could result in operator access.
Deployment Guidance
Per OpenClaw security guidance, the gateway should only be reachable from a trusted network and by trusted users (for example, restrict Tailnet users/ACLs when using Tailscale Serve).
If the gateway WebSocket is only reachable by trusted users, there is typically no untrusted party with network access to exploit this issue.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.1 - Fixed:
>= 2026.2.2
Fix
Device-identity skipping now requires validated shared-secret authentication (token/password). Tailscale-authenticated connections without validated shared secret require device identity.
Fix Commit(s)
- fe81b1d7125a014b8280da461f34efbf5f761575
Thanks @simecek for reporting.
Correção
Missing Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw