CVE-2026-28480 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 5, 2026
OpenClaw - Authorization Bypass
Published: March 5, 2026Updated: March 5, 2026Remote Exploitable
Overview
OpenClaw < 2026.2.14 contains an authorization bypass caused by Telegram allowlist matching accepting mutable usernames instead of immutable numeric sender IDs, letting attackers spoof identity and bypass allowlist restrictions.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can bypass allowlist restrictions and interact with bots as unauthorized senders, potentially leading to unauthorized actions.
Mitigation
Update to version 2026.2.14 or later.
References
- https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization
- https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128
- https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf
Related Resources
Details
- CVE ID
- CVE-2026-28480
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_access_control
- Status
- new
CWE
- CWE-290
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H