CVE-2026-28454 - OpenClaw - Authentication Bypass

Overview

OpenClaw < 2026.2.2 contains a broken authentication caused by failure to validate webhook secrets in Telegram webhook mode, letting remote attackers spoof Telegram updates and execute privileged bot commands, exploit requires Telegram webhook mode enabled.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 1.9%(Probability of exploitation in next 30 days)

Impact

Remote attackers can bypass sender allowlists and execute privileged bot commands, potentially compromising bot control.

Mitigation

Update to version 2026.2.2 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 6, 2026

🔴 CVE-2026-28454 - Critical (9.8) OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28454/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 6, 2026

🔴 CVE-2026-28454 - Critical (9.8) OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28454/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-28454 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score