OpenClaw Metadata Spoofing Vulnerability Bypassing Node Command Policies
Vulnerability
A metadata spoofing vulnerability has been identified in OpenClaw versions prior to 2026.2.26. This vulnerability allows an attacker with a paired node identity on the trusted network to spoof platform and deviceFamily fields in the reconnect metadata. The issue arises because these fields are not included in the device-auth signature, enabling the attacker to bypass platform-based node command policies and access restricted commands.
Impact
Exploitation of this vulnerability could lead to unauthorized access to node commands that are normally restricted based on the device's platform.
Reproduction
To reproduce this vulnerability, connect a paired node device to the OpenClaw gateway and spoof the 'platform' and 'deviceFamily' metadata fields in the reconnect request. This can be done by modifying the device's identity to include the desired metadata, which will bypass the platform-based command restrictions on the node.
Remediation
Users can update to OpenClaw version 2026.2.26 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.