CVE-2026-28464

OpenClaw · Multiple Products

OpenClaw uses non-constant-time string comparison for hook token validation, enabling remote attackers to infer tokens through timing side-channel attacks.

Executive summary

A timing side-channel vulnerability in OpenClaw allows remote attackers to perform unauthorized actions by gradually inferring authentication tokens through timing analysis.

Vulnerability

The vulnerability stems from the use of non-constant-time string comparison functions when validating hook authentication tokens. An unauthenticated remote attacker with network access to the hooks endpoint can measure the time taken for validation responses across multiple requests to reconstruct and eventually bypass the authentication mechanism.

Business impact

By successfully inferring valid authentication tokens, an attacker can gain unauthorized access to sensitive hook endpoints. This compromises the integrity of automated workflows and potentially allows for further unauthorized actions within the system, justifying the critical 9.8 CVSS score.

Remediation

Immediate Action: Upgrade all OpenClaw installations to version 2026.2.12 or later to implement constant-time comparison logic.

Proactive Monitoring: Monitor network logs for high volumes of repeated requests to the hooks endpoint, which may indicate an ongoing timing attack.

Compensating Controls: Implement rate limiting on the hooks endpoint to significantly slow down the speed at which an attacker can perform timing measurements, making the attack impractical.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Timing attacks can be subtle and difficult to detect without specific monitoring. It is imperative to patch to version 2026.2.12 to ensure that token validation is resistant to side-channel analysis and to prevent unauthorized access.