CVE-2026-28450: OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering
(updated )
The OpenClaw Nostr channel plugin (optional, disabled by default, installed separately) exposes profile management HTTP endpoints under /api/channels/nostr/:accountId/profile (GET/PUT) and /api/channels/nostr/:accountId/profile/import (POST). In affected versions, these routes were dispatched via the gateway plugin HTTP layer without requiring gateway authentication, allowing unauthenticated remote callers to read or mutate the Nostr profile and persist changes to the gateway config. Profile updates are also published as a signed Nostr kind:0 event using the bot’s private key.
Deployments that do not have the Nostr plugin installed and enabled are not impacted.
References
- github.com/advisories/GHSA-mv9j-6xhh-g383
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/647d929c9d0fd114249230d939a5cb3b36dc70e7
- github.com/openclaw/openclaw/releases/tag/v2026.2.12
- github.com/openclaw/openclaw/security/advisories/GHSA-mv9j-6xhh-g383
- nvd.nist.gov/vuln/detail/CVE-2026-28450
- www.vulncheck.com/advisories/openclaw-unauthenticated-profile-tampering-via-nostr-plugin-http-endpoints
Code Behaviors & Features
Detect and mitigate CVE-2026-28450 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →