CVE-2026-28464: OpenClaw has non-constant-time token comparison in hooks authentication
(updated )
OpenClaw hooks previously compared the provided hook token using a regular string comparison. Because this comparison is not constant-time, an attacker with network access to the hooks endpoint could potentially use timing measurements across many requests to gradually infer the token.
In practice, this typically requires hooks to be exposed to an untrusted network and a large number of requests; real-world latency and jitter can make reliable measurement difficult.
References
- github.com/advisories/GHSA-jmm5-fvh5-gf4p
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec
- github.com/openclaw/openclaw/security/advisories/GHSA-jmm5-fvh5-gf4p
- nvd.nist.gov/vuln/detail/CVE-2026-28464
- www.vulncheck.com/advisories/openclaw-timing-attack-in-hooks-token-authentication
Code Behaviors & Features
Detect and mitigate CVE-2026-28464 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →