cbcvebase.
CVE-2026-28448
published 2026-03-05

CVE-2026-28448: OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the…

PriorityP262critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.44%
35.4th percentile
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.

Affected

2 ranges
VendorProductVersion rangeFixed in
openclawopenclaw>= 2026.1.29 < 2026.2.12026.2.1
openclawopenclaw>= 2026.1.29 < 2026.2.12026.2.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthorized Twitch chat mentions of the bot triggering agent dispatch — monitor for bot mention events originating from users not present in the allowFrom allowlist, particularly when allowedRoles is unset or empty in the OpenClaw Twitch plugin configuration.
  • Flag OpenClaw Twitch plugin deployments where allowedRoles is unset or empty, as this is the precondition for the access control bypass.
  • ·The vulnerability only applies when the Twitch plugin is installed AND enabled in OpenClaw. Instances without the plugin are not affected.
  • ·The access control bypass is specifically triggered when allowedRoles is unset or empty — a non-empty allowedRoles configuration is required to enforce the allowFrom allowlist.
  • ·Affected versions are OpenClaw 2026.1.29 up to (not including) 2026.2.1. Upgrading to 2026.2.1 or later remediates the issue.

CVSS provenance

nvdv3.19.4CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.