CVE-2026-28450

CVSS v4.0

8.3

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.12

Description The OpenClaw Nostr channel plugin, when installed and enabled, exposes unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import. These endpoints allow reading and modifying Nostr profiles without gateway authentication. Attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key if the gateway HTTP port is accessible beyond localhost. The issue is exploitable when the gateway HTTP port is reachable beyond localhost.

Recommendations Upgrade to OpenClaw version 2026.2.12 or later. As a temporary mitigation, restrict gateway HTTP exposure (bind loopback-only and/or enforce network-layer access controls) until upgraded.

Fix

Missing Authentication

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-285

Related Identifiers

CVE-2026-28450

GHSA-MV9J-6XHH-G383

Affected Products

Openclaw

Openclaw Nostr Channel Plugin

CVE-2026-28450

Weakness Enumeration

Related Identifiers

Affected Products

References · 9