CVE-2026-28475

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N                                    

Vulnerability Description

OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token.

Vulnerability Details

Published Date

March 05, 2026

Last Modified

March 11, 2026

CWE ID

CWE-208

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec
https://github.com/openclaw/openclaw/security/advisories/GHSA-47q7-97xp-m272
https://www.vulncheck.com/advisories/openclaw-timing-attack-via-hook-token-comparison

CVE-2026-28475

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment