CVE-2026-25474
Published: 19 February 2026
Summary
CVE-2026-25474 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Deeper analysis
CVE-2026-25474 affects OpenClaw, a personal AI assistant, in versions 2026.1.30 and below. The vulnerability arises when the application is configured for Telegram webhook mode via the channels.telegram.webhookUrl setting but lacks a configured channels.telegram.webhookSecret. In such cases, OpenClaw accepts incoming webhook HTTP requests without verifying the Telegram secret token header, enabling improper authentication (CWE-345). This issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), rated high due to its potential for integrity impacts.
An attacker with network access to the exposed webhook endpoint can exploit this by crafting and sending forged HTTP requests that mimic legitimate Telegram updates, such as spoofing the message.from.id field. No authentication or user interaction is required. Successful exploitation allows the forged updates to be processed as authentic, potentially triggering unintended bot actions depending on the OpenClaw configuration, enabled commands, and tools. Note that Telegram webhook mode is not enabled by default and requires explicit configuration.
Mitigation involves upgrading to OpenClaw version 2026.2.1, where the issue has been addressed, as detailed in the project's GitHub release notes and related commit history. Administrators should ensure channels.telegram.webhookSecret is properly set in webhook mode and restrict endpoint exposure where possible.
This vulnerability is relevant to AI assistant deployments with Telegram integrations, though no evidence of real-world exploitation is reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8117
Vulnerability details
OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is…
more
reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). If an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if they came from Telegram. Depending on enabled commands/tools and configuration, this could lead to unintended bot actions. Note: Telegram webhook mode is not enabled by default. It is enabled only when `channels.telegram.webhookUrl` is configured. This issue has been fixed in version 2026.2.1.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in exposed Telegram webhook endpoint allows unauthenticated forged requests due to missing secret verification (CWE-345), directly enabling T1190 Exploit Public-Facing Application to trigger bot actions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification and authentication of external services such as Telegram webhooks using secret tokens to prevent acceptance of forged updates.
Enforces approved authorizations by rejecting webhook HTTP requests lacking valid Telegram secret token verification.
Mandates timely flaw remediation, including patching OpenClaw to version 2026.2.1 where webhook secret verification is enforced.