Insufficient verification of data authenticity in OpenClaw - CVE-2026-25474
Published: May 4, 2026
Vulnerability identifier: #VU129498
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-25474
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to send forged Telegram updates that are processed as if they came from Telegram.
The vulnerability exists due to insufficient verification of data authenticity in the Telegram webhook endpoint when handling webhook HTTP requests with a missing webhook secret. A remote attacker can send a specially crafted webhook request to send forged Telegram updates that are processed as if they came from Telegram.
Only deployments with Telegram webhook mode enabled are vulnerable, and exploitation requires the webhook endpoint to be reachable by the attacker.
How to mitigate CVE-2026-25474
Install security update from vendor's website.