CVE-2026-28454CRITICAL 9.8EPSS p16.6%

CVE-2026-28454CVE-2026-28454

Description

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.26% probability of exploitation · percentile 16.6% · 2026-06-18T12:00:27Z
Published2026-03-05
Last modified2026-03-09

Underlying weaknesses· 1

CWE-345

References

  1. https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930
  2. https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670
  3. https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09
  4. https://github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d
  5. https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv
  6. https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-unauthenticated-telegram-webhook

1

TypeTargetConfidenceTier
WeaknessInsufficient Verification of Data Authenticitycwe-3450%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35670
CVE
CVE-2026-28448
CVE
CVE-2026-41359
CVE
CVE-2026-34507
CVE
CVE-2026-35652
CVE
CVE-2026-28472
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.