OpenClaw Webhook Secret Validation Vulnerability in Telegram Webhook Mode
Vulnerability
A vulnerability exists in OpenClaw versions prior to 2026.2.2, where the application fails to properly validate webhook secrets in Telegram webhook mode. This oversight allows unauthenticated HTTP POST requests to the webhook endpoint, which can include attacker-controlled JSON payloads. Exploiting this vulnerability, remote attackers can forge Telegram updates by manipulating the message.from.id and chat.id fields. This can bypass sender allowlists and enable the execution of privileged bot commands.
Impact
Exploitation of this vulnerability leads to an authorization bypass, allowing attackers to execute privileged commands via a Telegram bot.
Reproduction
To reproduce this vulnerability, send an HTTP POST request to the Telegram webhook endpoint without a valid webhook secret. Include a JSON payload that spoof message.from.id and chat.id fields to bypass sender allowlists and trigger a privileged command on the bot.
Remediation
Users can update to OpenClaw version 2026.2.2 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.