Authentication Bypass Using an Alternate Path or Channel Affecting openclaw package, versions <2026.2.1


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.26% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-OPENCLAW-15307765
  • published18 Feb 2026
  • disclosed17 Feb 2026
  • creditPetr Simecek

Introduced: 17 Feb 2026

CVE-2026-28454  (opens in a new tab)
CWE-288  (opens in a new tab)

How to fix?

Upgrade openclaw to version 2026.2.1 or higher.

Overview

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can impersonate authorized users and execute privileged commands by sending forged HTTP POST requests with spoofed fields in the update payload.

Note: This is only exploitable if the Telegram webhook is enabled and no webhook secret is configured.

CVSS Base Scores

version 4.0
version 3.1