CVE-2026-25474

Name of the Vulnerable Software and Affected Versions openclaw versions prior to 2026.2.1

Description In Telegram webhook mode, if channels.telegram.webhookSecret is not set, the software may accept webhook HTTP requests without verifying Telegram’s secret token header. This can allow forged Telegram updates, such as spoofing message.from.id, if the webhook endpoint is reachable by an attacker. Telegram webhook mode is not enabled by default and requires configuration of channels.telegram.webhookUrl. An attacker who can reach the webhook endpoint may be able to send forged updates that are processed as if they came from Telegram, potentially leading to unintended bot actions. The vulnerable component is the webhook functionality.

Recommendations versions prior to 2026.2.1: Set a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged. versions prior to 2026.2.1: Restrict network access to the webhook endpoint. versions prior to 2026.2.1: As a temporary workaround, consider disabling Telegram webhook mode by not configuring channels.telegram.webhookUrl.