anonhaven
Ad

CVE-2026-28454

HIGH CVSS 4.0: 8.2 EPSS 0.03%
Updated Mar 06, 2026
OpenClaw
Parameter Value
CVSS 8.2 (HIGH)
Affected Versions before 2026.2.2
Type CWE-345 (Insufficient Verification of Data (Недостаточная проверка данных))
Vendor OpenClaw
Public PoC No

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
Present
Нужны дополнительные условия
Privileges Required
None
Права не нужны
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
High
Полная модификация данных
Availability
None
Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-345 Insufficient Verification of Data (Недостаточная проверка данных)

References 6

https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c38…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace9…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b6…
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-unauthen…
disclosure@vulncheck.com
Share Post Share Share Share