Improper Authorization in OpenClaw - CVE-2026-28454
Published: May 4, 2026
Vulnerability identifier: #VU129485
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-28454
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authorization checks and execute privileged bot commands.
The vulnerability exists due to improper authorization in the Telegram webhook endpoint when handling unauthenticated HTTP POST requests with attacker-controlled update JSON. A remote attacker can send a specially crafted webhook request with spoofed sender identifiers to bypass authorization checks and execute privileged bot commands.
The issue occurs when Telegram webhook mode is enabled without a configured webhook secret.
How to mitigate CVE-2026-28454
Install security update from vendor's website.