CVE-2026-25474: OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
(updated )
In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id).
Note: Telegram webhook mode is not enabled by default. It is enabled only when channels.telegram.webhookUrl is configured.
References
- github.com/advisories/GHSA-mp5h-m6qj-6292
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930
- github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670
- github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09
- github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d
- github.com/openclaw/openclaw/releases/tag/v2026.2.1
- github.com/openclaw/openclaw/security/advisories/GHSA-mp5h-m6qj-6292
- nvd.nist.gov/vuln/detail/CVE-2026-25474
Code Behaviors & Features
Detect and mitigate CVE-2026-25474 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →