← Zuruck zu CVEs
CVE-2026-28454
HIGH7.5
Beschreibung
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.
CVE Details
CVSS v3.1 Bewertung7.5
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht3/5/2026
Zuletzt geandert3/9/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
openclaw:openclaw
Schwachen (CWE)
CWE-345
Referenzen
https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-unauthenticated-telegram-webhook(disclosure@vulncheck.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.