Lucene search
K

100 matches found

EUVD
EUVD
added 2026/03/05 9:59 p.m.5 views

EUVD-2026-9903

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode must be enabled, allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id...

9.8CVSS6AI score0.00255EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/03/05 12:0 a.m.38 views

OpenClaw 数据伪造问题漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a Data Forgery Issue vulnerability that stems from an unverified webhook key in Telegram webhook mode, which can be exploited by an attacker to forge Telegram updates to bypass the sender permission li...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/02/23 12:0 a.m.7 views

OpenClaw < 2026.2.1 Authentication Bypass (GHSA-mp5h-m6qj-6292)

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.1. It is, therefore, affected by an authentication bypass vulnerability: - If channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without...

7.5CVSS6AI score0.002EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/19 11:18 p.m.6 views

CVE-2026-27004 OpenClaw session tool visibility hardening and Telegram webhook secret fallback

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools sessionslist, sessionshistory, sessionssend allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in...

6.9CVSS5.5AI score0.00105EPSS
Exploits0References2
NVD
NVD
added 2026/02/19 7:17 a.m.6 views

CVE-2026-25474

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...

7.5CVSS0.002EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2026/02/19 2:38 a.m.3 views

CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...

7.5CVSS5.6AI score0.002EPSS
Exploits1References6
CVE
CVE
added 2026/02/19 2:38 a.m.15 views

CVE-2026-25474

OpenClaw (openclaw) contains a vulnerability in versions 2026.1.30 and earlier where, if channels.telegram.webhookSecret is not set while operating in Telegram webhook mode, it may accept webhook requests without verifying Telegram’s secret header. This can allow an attacker who can reach the web...

7.5CVSS5.5AI score0.002EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/02/19 2:38 a.m.4 views

CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...

7.5CVSS5.6AI score0.002EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.9 views

PT-2026-20967

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools sessions list, sessions history, sessions send allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in...

6.9CVSS5.5AI score0.00105EPSS
Exploits0References3
OSV
OSV
added 2026/02/18 10:43 p.m.5 views

GHSA-6HF3-MHGC-CM65 OpenClaw session tool visibility hardening and Telegram webhook secret fallback

Vulnerability In some shared-agent deployments, OpenClaw session tools sessionslist, sessionshistory, sessionssend allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally...

6.9CVSS5.6AI score0.00105EPSS
Exploits0References4
Snyk
Snyk
added 2026/02/17 9:34 p.m.1 views

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/nextcloud-talk is an OpenClaw Nextcloud Talk channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/17 9:34 p.m.3 views

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/nostr is an OpenClaw Nostr channel plugin for NIP-04 encrypted DMs Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacke...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/17 9:34 p.m.5 views

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/17 9:34 p.m.3 views

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/17 9:34 p.m.4 views

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/17 9:34 p.m.3 views

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/17 9:34 p.m.7 views

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorize...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/17 9:34 p.m.5 views

Authentication Bypass Using an Alternate Path or Channel

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorized...

9.8CVSS5.8AI score0.00255EPSS
Exploits0References2
OSV
OSV
added 2026/02/17 9:34 p.m.5 views

GHSA-FHVM-J76F-QMJV OpenClaw has a potential access-group authorization bypass if channel type lookup fails

Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id,...

9.8CVSS5.6AI score0.00255EPSS
Exploits0References9
OSV
OSV
added 2026/02/17 6:46 p.m.5 views

GHSA-MP5H-M6QJ-6292 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...

7.5CVSS5.6AI score0.002EPSS
Exploits1References8
Rows per page
Query Builder