CVE-2026-28480

medium

Description

OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.

References

Advisories
More

https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization

https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf

https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3

https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128

Details

Source: Mitre, NVD

Published: 2026-03-05

Updated: 2026-03-17

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00028