OpenClaw WebSocket Gateway Connect Handshake Device Identity Check Bypass Vulnerability

A vulnerability exists in OpenClaw versions prior to 2026.2.2 within the gateway WebSocket connect handshake. This issue allows the bypassing of device identity checks when the auth.token is present but not validated. Exploiting this vulnerability, attackers can connect to the gateway without providing device identity or pairing, potentially gaining operator access in affected deployments.

Impact

Successful exploitation allows unauthorized connections to the gateway WebSocket, bypassing device identity requirements. This could lead to operator access, depending on the version and configuration.

Reproduction

To reproduce this vulnerability, connect to the OpenClaw gateway WebSocket using a Tailscale-authenticated connection. Include a non-empty auth.token in the connection request, but do not validate it. The connection will be accepted without the required device identity, bypassing the authentication checks.

Remediation

Users should update to OpenClaw version 2026.2.2 or later, where this vulnerability has been patched. After updating, ensure that the gateway WebSocket is only accessible from trusted networks and users.