{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "2026.2.2" } ] }, "events": [ { "introduced": "0" }, { "fixed": "95cd2210f93d6ab2acc5e29dbad6065294365863" }, { "fixed": "3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930" }, { "fixed": "5643a934799dc523ec2ef18c007e1aa2c386b670" }, { "fixed": "633fe8b9c17f02fcc68ecdb5ec212a5ace932f09" }, { "fixed": "ca92597e1f9593236ad86810b66633144b69314d" } ], "repo": "https://github.com/openclaw/openclaw", "type": "GIT" } ] } ], "aliases": [ "GHSA-fhvm-j76f-qmjv" ], "details": "OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.", "id": "CVE-2026-28454", "modified": "2026-04-01T23:08:29.938487372Z", "published": "2026-03-05T22:16:17.817Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv" }, { "type": "ADVISORY", "url": "https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-unauthenticated-telegram-webhook" }, { "type": "FIX", "url": "https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930" }, { "type": "FIX", "url": "https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670" }, { "type": "FIX", "url": "https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09" }, { "type": "FIX", "url": "https://github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }