CVE-2026-28472

CRITICAL9.8EPSS 0.06%

OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated

發布日:2026/2/17修改日:2026/3/10

描述

### Summary The gateway WebSocket `connect` handshake could allow skipping device identity checks when `auth.token` was present but not yet validated. ### Details In `src/gateway/server/ws-connection/message-handler.ts`, the device-identity requirement could be bypassed based on the *presence* of a non-empty `connectParams.auth.token` rather than a *validated* shared-secret authentication result. ### Impact In deployments where the gateway WebSocket is reachable and connections can be authorized via Tailscale without validating the shared secret, a client could connect without providing device identity/pairing. Depending on version and configuration, this could result in operator access. ### Deployment Guidance Per OpenClaw security guidance, the gateway should only be reachable from a trusted network and by trusted users (for example, restrict Tailnet users/ACLs when using Tailscale Serve). If the gateway WebSocket is only reachable by trusted users, there is typically no untrusted party with network access to exploit this issue. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.1` - Fixed: `>= 2026.2.2` ### Fix Device-identity skipping now requires *validated* shared-secret authentication (token/password). Tailscale-authenticated connections without validated shared secret require device identity. ### Fix Commit(s) - fe81b1d7125a014b8280da461f34efbf5f761575 Thanks @simecek for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1CRITICAL9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(6)