CVE-2026-28472: Device Identity Verification Bypass in OpenClaw Gateway WebSocket Handshake

OpenClaw operates as an automation platform relying on a centralized gateway component for device management and operator access. The gateway utilizes a WebSocket connection to handle real-time communication between paired devices and the control plane. CVE-2026-28472 identifies a critical authentication bypass vulnerability within this specific WebSocket handshake mechanism. All versions of the software prior to 2026.2.2 contain this structural flaw.

The vulnerability is formally classified as CWE-306: Missing Authentication for Critical Function. The flaw allows an unauthenticated, remote attacker to bypass mandatory device identity verification steps during the initial connection phase. This bypass occurs because the gateway improperly evaluates the presence of authentication tokens before validating their cryptographic integrity or correctness against a known state.

Exploiting this vulnerability requires specific environmental configurations to achieve full operator access. Specifically, the vulnerability manifests as a critical threat in deployments utilizing secondary identity providers, such as Tailscale, for network-level authentication. When combined with these proxy configurations, the logic flaw grants unauthorized operators full administrative access to the OpenClaw gateway infrastructure.

The root cause of CVE-2026-28472 is a classic "check-before-validation" logic flaw located within the src/gateway/server/ws-connection/message-handler.ts component. The OpenClaw gateway implements a mechanism to occasionally skip strict device identity checks, such as cryptographic pairing and registration validation. This bypass functionality was intended strictly for authorized administrators possessing a valid shared secret or authentication token.

In vulnerable versions, the application determined eligibility for this bypass by checking the boolean presence of the auth.token field in the incoming request structure. The connection handler evaluated a hasTokenAuth variable, which simply returned true if the token field existed in the incoming JSON payload. The system completely failed to validate the contents of this token before granting the bypass authorization.

Consequently, an attacker could supply an arbitrary, invalid string such as "dummy" in the auth.token field. The hasTokenAuth condition would evaluate to true, incorrectly setting the canSkipDevice flag to true. The actual cryptographic validation of the token was deferred until later in the execution flow, at which point the device identity check had already been successfully and permanently bypassed.

The logic flaw is evident when examining the state of src/gateway/server/ws-connection/message-handler.ts prior to the patch. The codebase relied on insecure conditional checks to establish the canSkipDevice state. The variable assignment directly trusted unvalidated input state from the client payload.

// Vulnerable implementation snippet
const hasTokenAuth = !!request.auth?.token;
const hasSharedAuth = !!request.auth?.password;
const canSkipDevice = allowControlUiBypass ? hasSharedAuth : hasTokenAuth;

Commit fe81b1d7125a014b8280da461f34efbf5f761575 resolves this vulnerability by completely restructuring the authentication execution flow. The patch forces the gateway to fully evaluate and validate the shared secret before assigning the bypass flag. The developers introduced a sharedAuthOk state variable that strictly requires successful cryptographic validation via an asynchronous call.

// Patched implementation snippet
const sharedAuthResult = await authorizeGatewayConnect(request.auth);
const sharedAuthOk = sharedAuthResult?.ok === true && /* additional strict checks */;
const canSkipDevice = sharedAuthOk;

This structural change ensures that identity provided by third parties cannot be used to bypass device requirements unless a valid administrative shared secret is also present. The authorizeGatewayConnect function now serves as a mandatory gatekeeper, preventing the authorization leap that previously allowed exploitation.

The exploitation methodology for CVE-2026-28472 requires standard network access to the OpenClaw gateway's WebSocket endpoint. The attacker begins by initiating a standard HTTP GET request with the Upgrade: websocket header to the gateway server. Within the initial connection parameters or the first JSON frame, the attacker injects an auth.token field containing an arbitrary string value.

Upon receiving the request, the gateway parses the payload and sets the internal canSkipDevice flag to true. This action skips the mandatory check for a registered device identity or public key exchange. The connection successfully circumvents the primary access control mechanism designed to restrict gateway access to explicitly paired devices.

To achieve full operator access, the attacker relies on the target environment utilizing a secondary authentication method. If the gateway operates behind an identity-aware proxy that injects authorization headers, the system misinterprets the bypassed device check as a fully authorized session. The attacker gains the ability to execute operator commands against the gateway without possessing a valid device identity.

The security impact of CVE-2026-28472 is severe for environments matching the required configuration profile. Successful exploitation grants the attacker unauthorized operator-level access to the OpenClaw gateway. This access level permits the execution of administrative commands, manipulation of paired devices, and potential lateral movement into the broader managed infrastructure.

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H results in a base score of 8.1. The High Attack Complexity (AC:H) correctly reflects the dependency on specific environmental configurations, namely the presence of a secondary identity provider like Tailscale. Without this secondary authorization mechanism, the dummy token bypass does not immediately yield full system compromise.

Despite the high complexity, the vulnerability requires no privileges (PR:N) and no user interaction (UI:N) to trigger. The resulting impact on confidentiality, integrity, and availability is total. The CVSS v4.0 score evaluates this combination at a 9.2 (Critical), emphasizing the severity of the unauthenticated access granted by the logic flaw.

The primary remediation for CVE-2026-28472 is an immediate upgrade to OpenClaw version 2026.2.2 or later. This release contains the complete logical fix implemented in commit fe81b1d7125a014b8280da461f34efbf5f761575. Administrators should prioritize patching systems exposed to untrusted networks or those utilizing identity-aware proxies for gateway access.

For environments where immediate patching is unfeasible, administrators must review the gateway configuration file. The dangerouslyDisableDeviceAuth parameter must be explicitly set to false, which is the default state. While this does not patch the underlying logic flaw, it enforces strict device authentication paths that mitigate the primary exploitation vector.

Additionally, network security controls should be implemented to restrict access to the WebSocket port. Access should be limited to known, trusted IP addresses or explicitly managed through a strictly configured Virtual Private Network (VPN). Continuous monitoring of gateway logs for anomalous unauthorized conn messages can help detect active exploitation attempts.