CVE-2026-28454 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 5, 2026
OpenClaw - Authentication Bypass
Published: March 5, 2026Updated: March 5, 2026Remote Exploitable
Overview
OpenClaw < 2026.2.2 contains a broken authentication caused by failure to validate webhook secrets in Telegram webhook mode, letting remote attackers spoof Telegram updates and execute privileged bot commands, exploit requires Telegram webhook mode enabled.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Remote attackers can bypass sender allowlists and execute privileged bot commands, potentially compromising bot control.
Mitigation
Update to version 2026.2.2 or later.
References
- https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670
- https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09
- https://github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv
- https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-unauthenticated-telegram-webhook
- https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930
Related Resources
Details
- CVE ID
- CVE-2026-28454
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- new
CWE
- CWE-345
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H