Vulnerability Report

CVE-2026-28480

Title: Authorization Bypass via Telegram Username Spoofing

Other

Proof Of Concept

No public PoC currently indexed for CVE-2026-28480.

CWE Category CWE-290

Published Date Mar 05, 2026

Modified Date Mar 17, 2026

Exploit Status Not Found

Score 6.9 CVSS v4.0

Exploit Probability (EPSS)

0.21%

Vulnerability Summary

CVE-2026-28480: OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.

Impacted Vendors

openclaw 1

Reference Links

https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128 https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3 https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization

CVSS v4.0

Source Entity [email protected]

Severity MEDIUM

6.9

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1