Cyber Resilience

CVE-2026-25474

HighPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0003 9.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25474 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2026-25474 affects OpenClaw, a personal AI assistant, in versions 2026.1.30 and below. The vulnerability arises when the application is configured for Telegram webhook mode via the channels.telegram.webhookUrl setting but lacks a configured channels.telegram.webhookSecret. In such cases, OpenClaw accepts incoming webhook HTTP requests without verifying the Telegram secret token header, enabling improper authentication (CWE-345). This issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), rated high due to its potential for integrity impacts.

An attacker with network access to the exposed webhook endpoint can exploit this by crafting and sending forged HTTP requests that mimic legitimate Telegram updates, such as spoofing the message.from.id field. No authentication or user interaction is required. Successful exploitation allows the forged updates to be processed as authentic, potentially triggering unintended bot actions depending on the OpenClaw configuration, enabled commands, and tools. Note that Telegram webhook mode is not enabled by default and requires explicit configuration.

Mitigation involves upgrading to OpenClaw version 2026.2.1, where the issue has been addressed, as detailed in the project's GitHub release notes and related commit history. Administrators should ensure channels.telegram.webhookSecret is properly set in webhook mode and restrict endpoint exposure where possible.

This vulnerability is relevant to AI assistant deployments with Telegram integrations, though no evidence of real-world exploitation is reported.

EU & UK References

Vulnerability details

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is…

more

reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). If an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if they came from Telegram. Depending on enabled commands/tools and configuration, this could lead to unintended bot actions. Note: Telegram webhook mode is not enabled by default. It is enabled only when `channels.telegram.webhookUrl` is configured. This issue has been fixed in version 2026.2.1.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in exposed Telegram webhook endpoint allows unauthenticated forged requests due to missing secret verification (CWE-345), directly enabling T1190 Exploit Public-Facing Application to trigger bot actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28454Same product: Openclaw Openclaw
CVE-2026-43534Same product: Openclaw Openclaw
CVE-2026-30741Same product: Openclaw Openclaw
CVE-2026-26319Same product: Openclaw Openclaw
CVE-2026-32302Same product: Openclaw Openclaw
CVE-2026-44116Same product: Openclaw Openclaw
CVE-2026-35652Same product: Openclaw Openclaw
CVE-2026-32004Same product: Openclaw Openclaw
CVE-2026-28453Same product: Openclaw Openclaw
CVE-2026-31989Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification and authentication of external services such as Telegram webhooks using secret tokens to prevent acceptance of forged updates.

prevent

Enforces approved authorizations by rejecting webhook HTTP requests lacking valid Telegram secret token verification.

prevent

Mandates timely flaw remediation, including patching OpenClaw to version 2026.2.1 where webhook secret verification is enforced.

References