CVE-2026-28454: OpenClaw has a potential access-group authorization bypass if channel type lookup fails
(updated )
When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id, potentially bypassing sender allowlists and executing privileged bot commands.
References
- github.com/advisories/GHSA-fhvm-j76f-qmjv
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930
- github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670
- github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09
- github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d
- github.com/openclaw/openclaw/releases/tag/v2026.2.1
- github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv
- nvd.nist.gov/vuln/detail/CVE-2026-28454
- www.vulncheck.com/advisories/openclaw-authorization-bypass-via-unauthenticated-telegram-webhook
Code Behaviors & Features
Detect and mitigate CVE-2026-28454 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →