CVE-2026-28480
📋 TL;DR
OpenClaw versions before 2026.2.14 have an authorization bypass vulnerability where Telegram allowlist matching uses mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identities by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders. This affects all OpenClaw deployments using Telegram allowlist functionality.
💻 Affected Systems
- OpenClaw
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to sensitive bot functionality, potentially accessing confidential data, executing privileged commands, or manipulating bot operations.
Likely Case
Unauthorized users bypass allowlist restrictions to interact with bots, potentially accessing features intended only for authorized personnel.
If Mitigated
With proper controls, impact is limited to unauthorized access to non-sensitive bot features.
🎯 Exploit Status
Exploitation requires obtaining a recycled username that matches an allowlist entry.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.2.14
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf
Restart Required: Yes
Instructions:
1. Update OpenClaw to version 2026.2.14 or later. 2. Restart the OpenClaw service. 3. Verify the fix by checking logs for proper numeric ID matching.
🔧 Temporary Workarounds
Switch to numeric ID allowlist
allManually convert all allowlist entries from usernames to numeric Telegram IDs
# Edit OpenClaw configuration to use numeric IDs instead of usernames in allowlist
Disable Telegram allowlist functionality
allTemporarily disable allowlist feature until patched
# Set allowlist_enabled: false in OpenClaw configuration
🧯 If You Can't Patch
- Implement additional authentication layer for sensitive bot commands
- Monitor logs for unusual username changes or allowlist bypass attempts
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version and verify if using username-based Telegram allowlist matchingCheck Version:
openclaw --versionVerify Fix Applied:
Test that numeric Telegram IDs are now required for allowlist matching📡 Detection & Monitoring
Log Indicators:
- Unauthorized username accessing allowlist-protected features
- Username changes matching allowlist entries
Network Indicators:
- Telegram API calls from unexpected usernames to protected endpoints
SIEM Query:
source="openclaw" AND (event="allowlist_bypass" OR username_change_detected)🔗 References
- https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128
- https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf
- https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization
