CVE-2026-28448 in OpenClawinfo

Zusammenfassung

von MITRE • 06.03.2026

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

VulnCheck

Reservieren

27.02.2026

Veröffentlichung

06.03.2026

Moderieren

akzeptiert

Eintrag

VDB-349364

CPE

bereit

CWE

CWE-285 (bestätigt)

CVSS

9.4 (NVD)

EPSS

0.00120

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-28448
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-28448
CVE Details	https://www.cvedetails.com/cve/CVE-2026-28448/

◂ Zurück Übersicht Weiter ▸

Might our Artificial Intelligence support you?

Check our Alexa App!