Improper Authorization in OpenClaw - CVE-2026-28448
Published: May 4, 2026
Vulnerability identifier: #VU129494
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-28448
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authorization checks and trigger the agent pipeline.
The vulnerability exists due to improper authorization in Twitch plugin access control when handling Twitch chat messages that mention the bot. A remote attacker can send a crafted chat message from a Twitch account not present in the allowlist to bypass authorization checks and trigger the agent pipeline.
Only deployments with the Twitch plugin installed and enabled are vulnerable, and exploitation requires allowFrom to be configured while allowedRoles is unset or empty.
How to mitigate CVE-2026-28448
Install security update from vendor's website.