CVE-2026-28464
📋 TL;DR
OpenClaw versions before 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer authentication tokens through timing side-channel attacks. Remote attackers with network access to the hooks endpoint can exploit this vulnerability to gradually determine valid tokens across multiple requests. This affects all OpenClaw deployments using hook authentication.
💻 Affected Systems
- OpenClaw
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers fully compromise hook authentication tokens, gaining unauthorized access to execute arbitrary hooks, potentially leading to data exfiltration, system compromise, or service disruption.
Likely Case
Attackers gradually infer valid tokens over time, gaining unauthorized access to hook endpoints which may allow injection of malicious payloads or unauthorized system actions.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated hook functionality with minimal data exposure.
🎯 Exploit Status
Exploitation requires network access to hooks endpoint and ability to make numerous timing measurements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.2.12
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-jmm5-fvh5-gf4p
Restart Required: Yes
Instructions:
1. Update OpenClaw to version 2026.2.12 or later. 2. Restart the OpenClaw service. 3. Verify the fix by checking the version and testing hook authentication.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the hooks endpoint using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport [HOOKS_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [HOOKS_PORT] -j DROP
Rate Limiting
allImplement rate limiting on the hooks endpoint to reduce timing measurement accuracy.
# Configure rate limiting in web server or application configuration
🧯 If You Can't Patch
- Implement network segmentation to isolate the hooks endpoint from untrusted networks.
- Deploy a reverse proxy with constant-time comparison logic in front of the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version: if version is less than 2026.2.12 and hooks are enabled, system is vulnerable.Check Version:
openclaw --versionVerify Fix Applied:
Verify version is 2026.2.12 or later and test hook authentication with timing analysis tools.📡 Detection & Monitoring
Log Indicators:
- Unusual number of authentication failures from single IP
- Repeated hook authentication attempts with varying tokens
Network Indicators:
- High volume of requests to hooks endpoint from single source
- Consistent timing patterns in authentication requests
SIEM Query:
source="openclaw.log" (authentication_failure OR hook_auth) | stats count by src_ip | where count > 100