cbcvebase.
CVE-2026-28454
published 2026-03-05

CVE-2026-28454: OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.26%
16.7th percentile
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.

Affected

2 ranges
VendorProductVersion rangeFixed in
openclawopenclaw< 2026.2.22026.2.2
openclawopenclaw>= 0 < 2026.2.12026.2.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated HTTP POST requests to the OpenClaw Telegram webhook endpoint — absence of webhook secret validation means any POST should be treated as suspicious if the application is running a vulnerable version (prior to 2026.2.2)
  • Inspect incoming Telegram webhook JSON payloads for spoofed or unexpected message.from.id and chat.id field values that do not match known legitimate Telegram user/chat identifiers, as attackers forge these to bypass sender allowlists
  • ·The vulnerability is only exploitable when Telegram webhook mode is explicitly enabled in OpenClaw; polling mode is not affected. Prioritize patching or disabling webhook mode on instances running versions prior to 2026.2.2.
  • ·The affected package is published under the name 'openclaw' (formerly Moltbot or Clawdbot) on npm and Homebrew. Ensure dependency inventories account for all historical package names when scanning for vulnerable versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.