GHSA-MP5H-M6QJ-6292

Vulnerability from github – Published: 2026-02-17 18:46 – Updated: 2026-02-19 21:23
VLAI?
Summary
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
Details

Summary

In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id).

Note: Telegram webhook mode is not enabled by default. It is enabled only when channels.telegram.webhookUrl is configured.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.1.30
  • Patched: >= 2026.2.1

Impact

If an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if they came from Telegram. Depending on enabled commands/tools and configuration, this could lead to unintended bot actions.

Mitigations / Workarounds

  • Set a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged.
  • Restrict network access to the webhook endpoint (for example bind to loopback and only expose via a reverse proxy).

Fix Commit(s)

  • ca92597e1f9593236ad86810b66633144b69314d (config validation: webhookUrl requires webhookSecret)

Defense-in-depth / supporting fixes:

  • 5643a934799dc523ec2ef18c007e1aa2c386b670 (default webhook listener bind host to loopback)
  • 3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930 (bound webhook request body size/time)
  • 633fe8b9c17f02fcc68ecdb5ec212a5ace932f09 (runtime guard: reject webhook startup when secret is missing/empty)

Thanks @yueyueL for reporting.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T18:46:16Z",
    "nvd_published_at": "2026-02-19T07:17:45Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nIn Telegram webhook mode, if `channels.telegram.webhookSecret` is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram\u2019s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing `message.from.id`).\n\nNote: Telegram webhook mode is not enabled by default. It is enabled only when `channels.telegram.webhookUrl` is configured.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.1.30`\n- Patched: `\u003e= 2026.2.1`\n\n## Impact\n\nIf an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if they came from Telegram. Depending on enabled commands/tools and configuration, this could lead to unintended bot actions.\n\n## Mitigations / Workarounds\n\n- Set a strong `channels.telegram.webhookSecret` and ensure your reverse proxy forwards the `X-Telegram-Bot-Api-Secret-Token` header unchanged.\n- Restrict network access to the webhook endpoint (for example bind to loopback and only expose via a reverse proxy).\n\n## Fix Commit(s)\n\n- ca92597e1f9593236ad86810b66633144b69314d (config validation: `webhookUrl` requires `webhookSecret`)\n\nDefense-in-depth / supporting fixes:\n\n- 5643a934799dc523ec2ef18c007e1aa2c386b670 (default webhook listener bind host to loopback)\n- 3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930 (bound webhook request body size/time)\n- 633fe8b9c17f02fcc68ecdb5ec212a5ace932f09 (runtime guard: reject webhook startup when secret is missing/empty)\n\nThanks @yueyueL for reporting.",
  "id": "GHSA-mp5h-m6qj-6292",
  "modified": "2026-02-19T21:23:52Z",
  "published": "2026-02-17T18:46:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mp5h-m6qj-6292"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25474"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/ca92597e1f9593236ad86810b66633144b69314d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) \u2192 auth bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.