CVE-2026-28469 OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity

OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process...

CVE-2026-28469

OpenClaw contains a webhook routing vulnerability in the Google Chat monitor component (extensions/googlechat/src/monitor.ts) that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. The issue arises because the system uses first-match request ve...

CVE-2026-28469

OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process...

EUVD-2026-9911

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

CVE-2026-28465

OpenClaw’s voice-call plugin (pre-2026.2.3) has an improper authentication flaw in webhook verification. An attacker can spoof webhook events by supplying untrusted Forwarded or X-Forwarded-* headers in reverse-proxy setups that implicitly trust these headers, bypassing verification. The issue af...

CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

CVE-2026-28465

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

CVE-2026-28454

OpenClaw vulnerable in versions prior to 2026.2.2 due to missing validation of webhook secrets in Telegram webhook mode, allowing unauthenticated HTTP POSTs to spoof updates by forging message.from.id and chat.id and bypass sender allowlists to execute privileged bot commands. Affected product: O...

CVE-2026-28454 OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...

CVE-2026-28454 OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...

CVE-2026-28454

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...

EUVD-2026-9903

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...

GHSA-FPX8-73GF-7X73 Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer

Summary The webhook URL validation in plane/app/serializers/webhook.py only checks ip.isloopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses 10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.. When webhook events fire, the...

Plane has SSRF via Incomplete IP Validation in Webhook URL Serializer

Summary The webhook URL validation in plane/app/serializers/webhook.py only checks ip.isloopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses 10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.. When webhook events fire, the...

CVE-2026-27023

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs e.g., webhook endpoints, image URLs could bypass...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that stems from a Webhook routing issue in the Google Chat monitor component, which can be exploited by an attacker to cause cross-account policy context misrouting that bypass...

OpenClaw 数据伪造问题漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.3 had a data manipulation vulnerability. This vulnerability stemmed from improper authentication in webhook verification, which could allow remote attackers to bypass the verification by using...

OpenClaw 安全漏洞

OpenClaw is used to handle Webhook events open source framework . A denial of service vulnerability exists in OpenClaw. An attacker can exploit this vulnerability to cause the service to become unavailable by sending an oversized JSON load or slow uploads that trigger memory pressure...

OpenClaw 访问控制错误漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from an Access Control Error vulnerability that stems from the BlueBubbles Webhook handler authenticating based only on the loopback remoteAddress, which can be exploited by an attacker to cause bypass of the...