GHSA-rv39-79c4-7459: OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated

February 17, 2026

The gateway WebSocket connect handshake could allow skipping device identity checks when auth.token was present but not yet validated.

References

github.com/advisories/GHSA-rv39-79c4-7459
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575
github.com/openclaw/openclaw/releases/tag/v2026.2.2
github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459

Code Behaviors & Features

Detect and mitigate GHSA-rv39-79c4-7459 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →