CVE-2026-28454

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.2 OpenClaw versions 2026.1.30 and earlier

Description When Telegram webhook mode is enabled without a configured webhook secret, the software may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id and chat.id, potentially bypassing sender allowlists and executing privileged bot commands. Attackers can forge Telegram updates by spoofing these fields to bypass sender allowlists and execute privileged bot commands. The vulnerability occurs due to a failure to validate webhook secrets when Telegram webhook mode is enabled. The API endpoint affected is the Telegram webhook endpoint. The vulnerable parameters include message.from.id and chat.id.

Recommendations OpenClaw versions prior to 2026.2.1: Configure a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged. OpenClaw version 2026.1.30 and earlier: Configure a strong channels.telegram.webhookSecret and ensure your reverse proxy forwards the X-Telegram-Bot-Api-Secret-Token header unchanged.