Missing Authentication for Critical Function in OpenClaw - CVE-2026-28450
Published: May 4, 2026
Vulnerability identifier: #VU129470
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28450
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to modify the Nostr profile and gateway configuration.
The vulnerability exists due to missing authentication for critical function in Nostr profile management HTTP endpoints when handling requests to the profile and profile import routes. A remote attacker can send crafted HTTP requests to modify the Nostr profile and gateway configuration.
Only deployments with the optional @openclaw/nostr plugin installed and enabled are vulnerable. Exploitation requires the gateway HTTP port to be reachable beyond localhost. Profile updates are published as a signed Nostr kind:0 event using the bot's private key.
How to mitigate CVE-2026-28450
Install security update from vendor's website.