CVE-2026-28472

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.2

Description The gateway WebSocket connect handshake allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments. The issue resides in src/gateway/server/ws-connection/message-handler.ts, where the device-identity requirement could be bypassed based on the presence of a non-empty connectParams.auth.token rather than a validated shared-secret authentication result. The gateway should only be reachable from a trusted network and by trusted users.

Recommendations Versions prior to 2026.2.2 require device-identity skipping to now require validated shared-secret authentication (token/password). Tailscale-authenticated connections without validated shared secret require device identity.