Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-28480 (GCVE-0-2026-28480)
Vulnerability from cvelistv5 – Published: 2026-03-05 21:59 – Updated: 2026-03-09 20:58
VLAI?
EPSS
Title
OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization
Summary
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.
Severity ?
6.5 (Medium)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | vendor-advisory |
| https://github.com/openclaw/openclaw/commit/e3b43… | patch |
| https://github.com/openclaw/openclaw/commit/9e147… | patch |
| https://www.vulncheck.com/advisories/openclaw-ide… | third-party-advisory |
Impacted products
Date Public ?
2026-02-15 00:00
Credits
Vincent Koc (@vincentkoc)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:58:43.385957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:58:49.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/openclaw",
"product": "OpenClaw",
"vendor": "OpenClaw",
"versions": [
{
"lessThan": "2026.2.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "2026.2.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Vincent Koc (@vincentkoc)"
}
],
"datePublic": "2026-02-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T22:28:19.389Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-mj5r-hh7j-4gxf)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf"
},
{
"name": "Patch Commit #1",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3"
},
{
"name": "Patch Commit #2",
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128"
},
{
"name": "VulnCheck Advisory: OpenClaw \u003c 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization"
}
],
"title": "OpenClaw \u003c 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-28480",
"datePublished": "2026-03-05T21:59:55.589Z",
"dateReserved": "2026-02-27T19:20:32.111Z",
"dateUpdated": "2026-03-09T20:58:49.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-28480",
"date": "2026-05-14",
"epss": "0.00044",
"percentile": "0.1367"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28480\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2026-03-05T22:16:22.610\",\"lastModified\":\"2026-03-17T17:49:51.037\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.\"},{\"lang\":\"es\",\"value\":\"OpenClaw versiones anteriores a 2026.2.14 contienen una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n donde la coincidencia de la lista de permitidos de Telegram acepta nombres de usuario mutables en lugar de identificadores de remitente num\u00e9ricos inmutables. Los atacantes pueden suplantar la identidad obteniendo nombres de usuario reciclados para omitir las restricciones de la lista de permitidos e interactuar con bots como remitentes no autorizados.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"2026.2.14\",\"matchCriteriaId\":\"0F3079A3-9FBD-4E87-821D-5CAF0622C555\"}]}]}],\"references\":[{\"url\":\"https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28480\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T20:58:43.385957Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T20:58:46.361Z\"}}], \"cna\": {\"title\": \"OpenClaw \u003c 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Vincent Koc (@vincentkoc)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.9, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"OpenClaw\", \"product\": \"OpenClaw\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2026.2.14\", \"versionType\": \"custom\"}], \"packageURL\": \"pkg:npm/openclaw\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-02-15T00:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf\", \"name\": \"GitHub Security Advisory (GHSA-mj5r-hh7j-4gxf)\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3\", \"name\": \"Patch Commit #1\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128\", \"name\": \"Patch Commit #2\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization\", \"name\": \"VulnCheck Advisory: OpenClaw \u003c 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"Authentication Bypass by Spoofing\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2026.2.14\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-03-05T22:28:19.389Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-28480\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T20:58:49.810Z\", \"dateReserved\": \"2026-02-27T19:20:32.111Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-03-05T21:59:55.589Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
WID-SEC-W-2026-0424
Vulnerability from csaf_certbund - Published: 2026-02-15 23:00 - Updated: 2026-03-05 23:00Summary
OpenClaw: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: OpenClaw ist ein persönlicher KI-Assistent zur Ausführung auf eigenen Geräten.
Angriff: Ein Angreifer kann diese Schwachstellen in OpenClaw ausnutzen, um beliebigen Programmcode auszuführen, sich erhöhte Berechtigungen zu verschaffen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen oder andere, nicht näher bezeichnete Angriffe durchzuführen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source OpenClaw <2026.2.14
Open Source / OpenClaw
|
<2026.2.14 |
References
69 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "OpenClaw ist ein pers\u00f6nlicher KI-Assistent zur Ausf\u00fchrung auf eigenen Ger\u00e4ten.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann diese Schwachstellen in OpenClaw ausnutzen, um beliebigen Programmcode auszuf\u00fchren, sich erh\u00f6hte Berechtigungen zu verschaffen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, vertrauliche Informationen offenzulegen oder andere, nicht n\u00e4her bezeichnete Angriffe durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0424 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0424.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0424 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0424"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33rq-m5x2-fvgf"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3hcm-ggvf-rch5"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4564-pvr2-qq4h"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-47q7-97xp-m272"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56f2-hvwg-5743"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7q2j-c4q5-rm27"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7vwx-582j-j332"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-943q-mwmv-hhvh"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c37p-4qqg-3p76"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fhvm-j76f-qmjv"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gv46-4xfq-jv58"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h9g4-589h-68xv"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jfv4-h8mc-jcp8"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jmm5-fvh5-gf4p"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mp5h-m6qj-6292"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mqpw-46fh-299h"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mr32-vwc2-5j6h"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mv9j-6xhh-g383"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-p25h-9q54-ffvw"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pg2v-8xwh-qhcc"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qj77-c3c8-9c3q"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qrq5-wjgg-rvqw"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qw99-grcx-4pvm"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w5c7-9qqw-6645"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wfp2-v9c7-fh79"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49m"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7"
},
{
"category": "external",
"summary": "openclaw GitHub vom 2026-02-15",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xwjm-j929-xq7c"
}
],
"source_lang": "en-US",
"title": "OpenClaw: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-03-05T23:00:00.000+00:00",
"generator": {
"date": "2026-03-06T07:07:21.689+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0424",
"initial_release_date": "2026-02-15T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-02-15T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-03-05T23:00:00.000+00:00",
"number": "2",
"summary": "CVE-Nummern erg\u00e4nzt"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2026.2.14",
"product": {
"name": "Open Source OpenClaw \u003c2026.2.14",
"product_id": "T050918"
}
},
{
"category": "product_version",
"name": "2026.2.14",
"product": {
"name": "Open Source OpenClaw 2026.2.14",
"product_id": "T050918-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:openclaw:openclaw:2026.2.14"
}
}
}
],
"category": "product_name",
"name": "OpenClaw"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-28391",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28391"
},
{
"cve": "CVE-2026-28392",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28392"
},
{
"cve": "CVE-2026-28393",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28393"
},
{
"cve": "CVE-2026-28395",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28395"
},
{
"cve": "CVE-2026-28446",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28446"
},
{
"cve": "CVE-2026-28447",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28447"
},
{
"cve": "CVE-2026-28448",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28448"
},
{
"cve": "CVE-2026-28450",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28450"
},
{
"cve": "CVE-2026-28451",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28451"
},
{
"cve": "CVE-2026-28452",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28452"
},
{
"cve": "CVE-2026-28453",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28453"
},
{
"cve": "CVE-2026-28454",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28454"
},
{
"cve": "CVE-2026-28456",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28456"
},
{
"cve": "CVE-2026-28457",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28457"
},
{
"cve": "CVE-2026-28458",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28458"
},
{
"cve": "CVE-2026-28459",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28459"
},
{
"cve": "CVE-2026-28462",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28462"
},
{
"cve": "CVE-2026-28463",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28463"
},
{
"cve": "CVE-2026-28464",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28464"
},
{
"cve": "CVE-2026-28465",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28465"
},
{
"cve": "CVE-2026-28466",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28466"
},
{
"cve": "CVE-2026-28467",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28467"
},
{
"cve": "CVE-2026-28468",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28468"
},
{
"cve": "CVE-2026-28469",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28469"
},
{
"cve": "CVE-2026-28470",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28470"
},
{
"cve": "CVE-2026-28471",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28471"
},
{
"cve": "CVE-2026-28472",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28472"
},
{
"cve": "CVE-2026-28473",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28473"
},
{
"cve": "CVE-2026-28474",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28474"
},
{
"cve": "CVE-2026-28475",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28475"
},
{
"cve": "CVE-2026-28476",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28476"
},
{
"cve": "CVE-2026-28477",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28477"
},
{
"cve": "CVE-2026-28478",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28478"
},
{
"cve": "CVE-2026-28480",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28480"
},
{
"cve": "CVE-2026-28481",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28481"
},
{
"cve": "CVE-2026-28482",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28482"
},
{
"cve": "CVE-2026-28485",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28485"
},
{
"cve": "CVE-2026-28486",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-28486"
},
{
"cve": "CVE-2026-29606",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29606"
},
{
"cve": "CVE-2026-29609",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29609"
},
{
"cve": "CVE-2026-29610",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29610"
},
{
"cve": "CVE-2026-29611",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29611"
},
{
"cve": "CVE-2026-29612",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29612"
},
{
"cve": "CVE-2026-29613",
"product_status": {
"known_affected": [
"T050918"
]
},
"release_date": "2026-02-15T23:00:00.000+00:00",
"title": "CVE-2026-29613"
}
]
}
GHSA-MJ5R-HH7J-4GXF
Vulnerability from github – Published: 2026-02-18 00:54 – Updated: 2026-03-06 01:03
VLAI?
Summary
OpenClaw Telegram allowlist authorization accepted mutable usernames
Details
Summary
Telegram allowlist authorization could match on @username (mutable/recyclable) instead of immutable numeric sender IDs.
Impact
Operators who treat Telegram allowlists as strict identity controls could unintentionally grant access if a username changes hands (identity rebinding/spoof risk). This can allow an unauthorized sender to interact with the bot in allowlist mode.
Affected Packages / Versions
- npm
openclaw: <= 2026.2.13 - npm
clawdbot: <= 2026.1.24-3
Fix
Telegram allowlist authorization now requires numeric Telegram sender IDs only. @username allowlist principals are rejected.
A security audit warning was added to flag legacy configs that still contain non-numeric Telegram allowlist entries.
openclaw doctor --fix now attempts to resolve @username allowFrom entries to numeric IDs (best-effort; requires a Telegram bot token).
Fix Commit(s)
- e3b432e481a96b8fd41b91273818e514074e05c3
- 9e147f00b48e63e7be6964e0e2a97f2980854128
Thanks @vincentkoc for reporting.
Severity ?
5.9 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "clawdbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2026.1.24-3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28480"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T00:54:32Z",
"nvd_published_at": "2026-03-05T22:16:22Z",
"severity": "MODERATE"
},
"details": "## Summary\nTelegram allowlist authorization could match on `@username` (mutable/recyclable) instead of immutable numeric sender IDs.\n\n## Impact\nOperators who treat Telegram allowlists as strict identity controls could unintentionally grant access if a username changes hands (identity rebinding/spoof risk). This can allow an unauthorized sender to interact with the bot in allowlist mode.\n\n## Affected Packages / Versions\n- npm `openclaw`: \u003c= 2026.2.13\n- npm `clawdbot`: \u003c= 2026.1.24-3\n\n## Fix\nTelegram allowlist authorization now requires numeric Telegram sender IDs only. `@username` allowlist principals are rejected.\n\nA security audit warning was added to flag legacy configs that still contain non-numeric Telegram allowlist entries.\n\n`openclaw doctor --fix` now attempts to resolve `@username` allowFrom entries to numeric IDs (best-effort; requires a Telegram bot token).\n\n## Fix Commit(s)\n- e3b432e481a96b8fd41b91273818e514074e05c3\n- 9e147f00b48e63e7be6964e0e2a97f2980854128\n\nThanks @vincentkoc for reporting.",
"id": "GHSA-mj5r-hh7j-4gxf",
"modified": "2026-03-06T01:03:30Z",
"published": "2026-02-18T00:54:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw Telegram allowlist authorization accepted mutable usernames"
}
CNVD-2026-13544
Vulnerability from cnvd - Published: 2026-03-12
VLAI Severity ?
Title
OpenClaw身份伪造漏洞
Description
OpenClaw是用于Telegram机器人权限管理的开源框架。
OpenClaw存在身份伪造漏洞。攻击者可利用该漏洞通过回收用户名伪装身份,绕过权限限制非法操控机器人。
Severity
中
Patch Name
OpenClaw身份伪造漏洞的补丁
Patch Description
OpenClaw是用于Telegram机器人权限管理的开源框架。
OpenClaw存在身份伪造漏洞。攻击者可利用该漏洞通过回收用户名伪装身份,绕过权限限制非法操控机器人。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞。补丁获取链接: https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf
Reference
https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128
https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3
https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf
https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization
Impacted products
| Name | OpenClaw OpenClaw <2026.2.14 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2026-28480",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480"
}
},
"description": "OpenClaw\u662f\u7528\u4e8eTelegram\u673a\u5668\u4eba\u6743\u9650\u7ba1\u7406\u7684\u5f00\u6e90\u6846\u67b6\u3002\n\nOpenClaw\u5b58\u5728\u8eab\u4efd\u4f2a\u9020\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u56de\u6536\u7528\u6237\u540d\u4f2a\u88c5\u8eab\u4efd\uff0c\u7ed5\u8fc7\u6743\u9650\u9650\u5236\u975e\u6cd5\u64cd\u63a7\u673a\u5668\u4eba\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\u3002\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2026-13544",
"openTime": "2026-03-12",
"patchDescription": "OpenClaw\u662f\u7528\u4e8eTelegram\u673a\u5668\u4eba\u6743\u9650\u7ba1\u7406\u7684\u5f00\u6e90\u6846\u67b6\u3002\n\nOpenClaw\u5b58\u5728\u8eab\u4efd\u4f2a\u9020\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u56de\u6536\u7528\u6237\u540d\u4f2a\u88c5\u8eab\u4efd\uff0c\u7ed5\u8fc7\u6743\u9650\u9650\u5236\u975e\u6cd5\u64cd\u63a7\u673a\u5668\u4eba\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "OpenClaw\u8eab\u4efd\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "OpenClaw OpenClaw \u003c2026.2.14"
},
"referenceLink": "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128\r\nhttps://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3\r\nhttps://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf\r\nhttps://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization",
"serverity": "\u4e2d",
"submitTime": "2026-03-12",
"title": "OpenClaw\u8eab\u4efd\u4f2a\u9020\u6f0f\u6d1e"
}
FKIE_CVE-2026-28480
Vulnerability from fkie_nvd - Published: 2026-03-05 22:16 - Updated: 2026-03-17 17:49
Severity ?
Summary
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "0F3079A3-9FBD-4E87-821D-5CAF0622C555",
"versionEndExcluding": "2026.2.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders."
},
{
"lang": "es",
"value": "OpenClaw versiones anteriores a 2026.2.14 contienen una vulnerabilidad de omisi\u00f3n de autorizaci\u00f3n donde la coincidencia de la lista de permitidos de Telegram acepta nombres de usuario mutables en lugar de identificadores de remitente num\u00e9ricos inmutables. Los atacantes pueden suplantar la identidad obteniendo nombres de usuario reciclados para omitir las restricciones de la lista de permitidos e interactuar con bots como remitentes no autorizados."
}
],
"id": "CVE-2026-28480",
"lastModified": "2026-03-17T17:49:51.037",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "disclosure@vulncheck.com",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2026-03-05T22:16:22.610",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Patch"
],
"url": "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Patch"
],
"url": "https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…