Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.2

OpenClaw fails to validate Telegram webhook secrets

CVE-2026-28454 GHSA-fhvm-j76f-qmjv
Summary

OpenClaw versions before 2026.2.2 have a security issue that allows an attacker to send fake messages from any sender. This can happen if the Telegram webhook mode is enabled. To fix this, update to version 2026.2.2 or later.

What to do
  • Update steipete openclaw to version 2026.2.1.
Affected software
VendorProductAffected versionsFix available
steipete openclaw <= 2026.2.1 2026.2.1
openclaw openclaw <= 2026.2.2 –
Original title
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attac...
Original description
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.
nvd CVSS3.1 7.5
nvd CVSS4.0 8.2
Vulnerability type
CWE-345
CWE-285 Improper Authorization
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026