CVE-2026-28448

HIGH

OpenClaw 2026.1.29-2026.2.1 - Auth Bypass

Title source: llm

Description

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-33rq-m5x2-fvgf

[Patch] https://github.com/openclaw/openclaw/commit/8c7901c984866a776eb59662dc9d8b028de4f0d0

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-twitch-plugin-allowfrom-access-control

Scores

CVSS v3 7.3

EPSS 0.0011

EPSS Percentile 29.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (2)

npm/openclaw 2026.1.29 - 2026.2.1npm

openclaw/openclaw 2026.1.29 - 2026.2.1

Published Mar 05, 2026

Tracked Since Mar 06, 2026