CVE-2026-28464
Published: 05 March 2026
Summary
CVE-2026-28464 is a medium-severity Observable Timing Discrepancy (CWE-208) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing hooks endpoint (T1190) via timing side-channel to infer/steal application auth token (T1528).
NVD Description
OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually determine…
more
the authentication token.
Deeper analysisAI
CVE-2026-28464 affects OpenClaw versions prior to 2026.2.12, where the software uses non-constant-time string comparison during hook token validation. This flaw, classified under CWE-208 (Observable Timing Discrepancy), enables attackers to infer authentication tokens through precise timing measurements. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network accessibility but high attack complexity, with a high impact on confidentiality.
Remote attackers with network access to the OpenClaw hooks endpoint can exploit this timing side-channel by sending multiple crafted requests and measuring response times. Over time, these measurements allow gradual determination of the authentication token, potentially granting unauthorized access to protected hooks functionality without requiring privileges or user interaction.
Mitigation involves upgrading to OpenClaw version 2026.2.12 or later, as indicated by the patch in commit 113ebfd6a23c4beb8a575d48f7482593254506ec. Additional details are available in the GitHub Security Advisory GHSA-jmm5-fvh5-gf4p and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-timing-attack-in-hooks-token-authentication.
Details
- CWE(s)