Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-28454

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 16.9%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-28454
  • Openclaw » Openclaw » Version: 0.1.0
    cpe:2.3:a:openclaw:openclaw:0.1.0
  • Openclaw » Openclaw » Version: 0.1.1
    cpe:2.3:a:openclaw:openclaw:0.1.1
  • Openclaw » Openclaw » Version: 0.1.2
    cpe:2.3:a:openclaw:openclaw:0.1.2
  • Openclaw » Openclaw » Version: 0.1.3
    cpe:2.3:a:openclaw:openclaw:0.1.3
  • Openclaw » Openclaw » Version: 1.0.4
    cpe:2.3:a:openclaw:openclaw:1.0.4
  • Openclaw » Openclaw » Version: 1.1.0
    cpe:2.3:a:openclaw:openclaw:1.1.0
  • Openclaw » Openclaw » Version: 1.2.0
    cpe:2.3:a:openclaw:openclaw:1.2.0
  • Openclaw » Openclaw » Version: 1.2.1
    cpe:2.3:a:openclaw:openclaw:1.2.1
  • Openclaw » Openclaw » Version: 1.2.2
    cpe:2.3:a:openclaw:openclaw:1.2.2
  • Openclaw » Openclaw » Version: 1.3.0
    cpe:2.3:a:openclaw:openclaw:1.3.0
  • Openclaw » Openclaw » Version: 2.0.0
    cpe:2.3:a:openclaw:openclaw:2.0.0
  • Openclaw » Openclaw » Version: 2026.1.10
    cpe:2.3:a:openclaw:openclaw:2026.1.10
  • Openclaw » Openclaw » Version: 2026.1.11
    cpe:2.3:a:openclaw:openclaw:2026.1.11
  • Openclaw » Openclaw » Version: 2026.1.11-1
    cpe:2.3:a:openclaw:openclaw:2026.1.11-1
  • Openclaw » Openclaw » Version: 2026.1.11-2
    cpe:2.3:a:openclaw:openclaw:2026.1.11-2
  • Openclaw » Openclaw » Version: 2026.1.11-3
    cpe:2.3:a:openclaw:openclaw:2026.1.11-3
  • Openclaw » Openclaw » Version: 2026.1.11-4
    cpe:2.3:a:openclaw:openclaw:2026.1.11-4
  • Openclaw » Openclaw » Version: 2026.1.111
    cpe:2.3:a:openclaw:openclaw:2026.1.111
  • Openclaw » Openclaw » Version: 2026.1.112
    cpe:2.3:a:openclaw:openclaw:2026.1.112
  • Openclaw » Openclaw » Version: 2026.1.113
    cpe:2.3:a:openclaw:openclaw:2026.1.113
  • Openclaw » Openclaw » Version: 2026.1.12
    cpe:2.3:a:openclaw:openclaw:2026.1.12
  • Openclaw » Openclaw » Version: 2026.1.12-1
    cpe:2.3:a:openclaw:openclaw:2026.1.12-1
  • Openclaw » Openclaw » Version: 2026.1.12-2
    cpe:2.3:a:openclaw:openclaw:2026.1.12-2
  • Openclaw » Openclaw » Version: 2026.1.122
    cpe:2.3:a:openclaw:openclaw:2026.1.122
  • Openclaw » Openclaw » Version: 2026.1.13
    cpe:2.3:a:openclaw:openclaw:2026.1.13
  • Openclaw » Openclaw » Version: 2026.1.14-1
    cpe:2.3:a:openclaw:openclaw:2026.1.14-1
  • Openclaw » Openclaw » Version: 2026.1.141
    cpe:2.3:a:openclaw:openclaw:2026.1.141
  • Openclaw » Openclaw » Version: 2026.1.15
    cpe:2.3:a:openclaw:openclaw:2026.1.15
  • Openclaw » Openclaw » Version: 2026.1.16-1
    cpe:2.3:a:openclaw:openclaw:2026.1.16-1
  • Openclaw » Openclaw » Version: 2026.1.16-2
    cpe:2.3:a:openclaw:openclaw:2026.1.16-2
  • Openclaw » Openclaw » Version: 2026.1.162
    cpe:2.3:a:openclaw:openclaw:2026.1.162
  • Openclaw » Openclaw » Version: 2026.1.20
    cpe:2.3:a:openclaw:openclaw:2026.1.20
  • Openclaw » Openclaw » Version: 2026.1.20-1
    cpe:2.3:a:openclaw:openclaw:2026.1.20-1
  • Openclaw » Openclaw » Version: 2026.1.20-2
    cpe:2.3:a:openclaw:openclaw:2026.1.20-2
  • Openclaw » Openclaw » Version: 2026.1.21
    cpe:2.3:a:openclaw:openclaw:2026.1.21
  • Openclaw » Openclaw » Version: 2026.1.21-1
    cpe:2.3:a:openclaw:openclaw:2026.1.21-1
  • Openclaw » Openclaw » Version: 2026.1.21-2
    cpe:2.3:a:openclaw:openclaw:2026.1.21-2
  • Openclaw » Openclaw » Version: 2026.1.22
    cpe:2.3:a:openclaw:openclaw:2026.1.22
  • Openclaw » Openclaw » Version: 2026.1.23
    cpe:2.3:a:openclaw:openclaw:2026.1.23
  • Openclaw » Openclaw » Version: 2026.1.23-1
    cpe:2.3:a:openclaw:openclaw:2026.1.23-1
  • Openclaw » Openclaw » Version: 2026.1.24
    cpe:2.3:a:openclaw:openclaw:2026.1.24
  • Openclaw » Openclaw » Version: 2026.1.24-1
    cpe:2.3:a:openclaw:openclaw:2026.1.24-1
  • Openclaw » Openclaw » Version: 2026.1.24-2
    cpe:2.3:a:openclaw:openclaw:2026.1.24-2
  • Openclaw » Openclaw » Version: 2026.1.24-3
    cpe:2.3:a:openclaw:openclaw:2026.1.24-3
  • Openclaw » Openclaw » Version: 2026.1.241
    cpe:2.3:a:openclaw:openclaw:2026.1.241
  • Openclaw » Openclaw » Version: 2026.1.29
    cpe:2.3:a:openclaw:openclaw:2026.1.29
  • Openclaw » Openclaw » Version: 2026.1.30
    cpe:2.3:a:openclaw:openclaw:2026.1.30
  • Openclaw » Openclaw » Version: 2026.1.4
    cpe:2.3:a:openclaw:openclaw:2026.1.4
  • Openclaw » Openclaw » Version: 2026.1.4-1
    cpe:2.3:a:openclaw:openclaw:2026.1.4-1
  • Openclaw » Openclaw » Version: 2026.1.5
    cpe:2.3:a:openclaw:openclaw:2026.1.5
  • Openclaw » Openclaw » Version: 2026.1.5-1
    cpe:2.3:a:openclaw:openclaw:2026.1.5-1
  • Openclaw » Openclaw » Version: 2026.1.5-2
    cpe:2.3:a:openclaw:openclaw:2026.1.5-2
  • Openclaw » Openclaw » Version: 2026.1.5-3
    cpe:2.3:a:openclaw:openclaw:2026.1.5-3
  • Openclaw » Openclaw » Version: 2026.1.51
    cpe:2.3:a:openclaw:openclaw:2026.1.51
  • Openclaw » Openclaw » Version: 2026.1.52
    cpe:2.3:a:openclaw:openclaw:2026.1.52
  • Openclaw » Openclaw » Version: 2026.1.53
    cpe:2.3:a:openclaw:openclaw:2026.1.53
  • Openclaw » Openclaw » Version: 2026.1.8
    cpe:2.3:a:openclaw:openclaw:2026.1.8
  • Openclaw » Openclaw » Version: 2026.1.8-1
    cpe:2.3:a:openclaw:openclaw:2026.1.8-1
  • Openclaw » Openclaw » Version: 2026.1.8-2
    cpe:2.3:a:openclaw:openclaw:2026.1.8-2
  • Openclaw » Openclaw » Version: 2026.1.9
    cpe:2.3:a:openclaw:openclaw:2026.1.9
  • Openclaw » Openclaw » Version: 2026.2.0
    cpe:2.3:a:openclaw:openclaw:2026.2.0
  • Openclaw » Openclaw » Version: 2026.2.1
    cpe:2.3:a:openclaw:openclaw:2026.2.1


Contact Us

Shodan ® - All rights reserved