CVE-2026-28454

HIGH 7.5

OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.

CWE	CWE-345
Vendor	openclaw
Product	openclaw
Published	Mar 5, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new high vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv github.com: https://github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d github.com: https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670 github.com: https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930 github.com: https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-unauthenticated-telegram-webhook

Credits

🔍 Petr Simecek (@simecek) Stanislav Fort, Aisle Research, www.aisle.com