100 matches found
EUVD-2026-9903
OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...
OpenClaw 数据伪造问题漏洞
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a Data Forgery Issue vulnerability that stems from an unverified webhook key in Telegram webhook mode, which can be exploited by an attacker to forge Telegram updates to bypass the sender permission li...
OpenClaw < 2026.2.1 Authentication Bypass (GHSA-mp5h-m6qj-6292)
The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.1. It is, therefore, affected by an authentication bypass vulnerability: - If channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without...
CVE-2026-27004 OpenClaw session tool visibility hardening and Telegram webhook secret fallback
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools sessionslist, sessionshistory, sessionssend allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in...
CVE-2026-25474
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...
CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...
CVE-2026-25474
OpenClaw (openclaw) contains a vulnerability in versions 2026.1.30 and earlier where, if channels.telegram.webhookSecret is not set while operating in Telegram webhook mode, it may accept webhook requests without verifying Telegram’s secret header. This can allow an attacker who can reach the web...
CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...
PT-2026-20967
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools sessions list, sessions history, sessions send allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in...
GHSA-6HF3-MHGC-CM65 OpenClaw session tool visibility hardening and Telegram webhook secret fallback
Vulnerability In some shared-agent deployments, OpenClaw session tools sessionslist, sessionshistory, sessionssend allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/nextcloud-talk is an OpenClaw Nextcloud Talk channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/nostr is an OpenClaw Nostr channel plugin for NIP-04 encrypted DMs Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacke...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured...
Authentication Bypass Using an Alternate Path or Channel
Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorize...
Authentication Bypass Using an Alternate Path or Channel
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorized...
GHSA-FHVM-J76F-QMJV OpenClaw has a potential access-group authorization bypass if channel type lookup fails
Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id,...
GHSA-MP5H-M6QJ-6292 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...