Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain unauthorized access to node event execution flows.
AnalysisAI
OpenClaw versions before 2026.2.25 allow authenticated attackers with node role permissions to bypass device pairing requirements in the Control UI by spoofing the control-ui client identifier, enabling unauthorized access to node event execution flows. Public exploit code exists for this authentication bypass vulnerability. The vulnerability requires prior authentication and has moderate integrity impact potential.
Technical ContextAI
The vulnerability exists in OpenClaw's trusted-proxy Control UI pairing mechanism, a component responsible for authenticating and authorizing websocket clients before granting access to node event execution capabilities. The root cause, classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision), stems from the system accepting the client.id parameter (specifically the hardcoded value 'control-ui') without verifying the actual device identity or legitimacy of the requesting entity. OpenClaw (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) uses websocket-based communication for node orchestration and event handling; the pairing mechanism is intended to enforce a cryptographic or cryptographic-adjacent handshake between authorized control interfaces and worker nodes. By failing to validate that the connecting entity is actually a legitimate control-ui instance—rather than merely checking for the presence of that identifier—the system allows any authenticated websocket client with node role privileges to assume control-ui authority and access protected event execution flows.
RemediationAI
Upgrade OpenClaw to version 2026.2.25 or later to apply the security patch (commit ec45c317f5d0631a3d333b236da58c4749ede2a3). Organizations unable to patch immediately should implement the following mitigations: restrict websocket connections to the OpenClaw trusted-proxy to a whitelist of known control-ui endpoint IP addresses or hostnames, enforce mutual TLS (mTLS) authentication with certificate pinning for control-ui pairing handshakes, and implement detailed audit logging on all websocket client.id parameter values to detect attempted spoofing. Monitor for connections presenting client.id=control-ui from unexpected sources and implement network segmentation to isolate node websocket listeners from untrusted networks. See the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm for official guidance.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13960