CVE-2026-28480

MEDIUM 6.5

OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.

CWE	CWE-290
Vendor	openclaw
Product	openclaw
Published	Mar 5, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.2.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf github.com: https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3 github.com: https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization

Credits

🔍 Vincent Koc (@vincentkoc)