Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.3

OpenClaw with Nostr plugin exposed to unauthenticated access

CVE-2026-28450 GHSA-mv9j-6xhh-g383
Summary

OpenClaw versions before 2026.2.12 with the Nostr plugin enabled leave sensitive information open to anyone on the internet. This means that attackers can access and modify important data, and even use the system to send fake messages. To fix this, update to the latest version of OpenClaw with the Nostr plugin.

What to do
  • Update steipete openclaw to version 2026.2.12.
Affected software
VendorProductAffected versionsFix available
steipete openclaw <= 2026.2.12 2026.2.12
openclaw openclaw <= 2026.2.12 –
Original title
OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profil...
Original description
OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.
nvd CVSS3.1 6.8
nvd CVSS4.0 8.3
Vulnerability type
CWE-285 Improper Authorization
CWE-306 Missing Authentication for Critical Function
Published: 5 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026