CVE-2026-28454 HIGH

CVE-2026-28454: OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook

Vendor Openclaw
Product OpenClaw
Weakness CWE-345
Published March 5, 2026
Last update March 9, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 9, 2026 Record updated