OpenClaw versions before 2026.2.26 allow a client to send reconnect metadata containing "platform" and "deviceFamily" fields that are not incorporated into the device‑authentication signature. Because these fields are not signed, an attacker who already owns a paired node identity on the trusted network can spoof the metadata to impersonate a different platform. This manipulation bypasses platform‑based node command policies, enabling the attacker to execute commands that would normally be restricted for that platform. The vulnerability is categorized as a CWE-290 (Authentication) weakness and presents a high potential for privilege escalation within the trusted network.

All OpenClaw products (OpenClaw:OpenClaw) with versions earlier than 2026.2.26 are affected. No additional version data was supplied. The affected platform can be identified using the provided CPE string: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*.

The CVSS score of 8.6 indicates a high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been publicly exploited. Attack conditions require an attacker to have a valid, paired node identity within the trusted network, meaning the threat is primarily internal or requires the adversary to gain access to the network first. If that condition is met, they can easily spoof the metadata and bypass the intended command restrictions. The risk is therefore significant for environments that rely on platform‑based command gating, and mitigation should be performed promptly.