CVE-2026-28450

216.73.217.22

· Published 05/03/2026 22:16 · Modified 06/03/2026 17:16

Labels: CVE-2026-28450 2026-03-05 CVE-2026-28450 CWE-306 [email protected]

Essential information

Published: 05/03/2026 22:16
Modified: 06/03/2026 17:16
Author: —
Creator: —
CVSS: 8.3 HIGH (v3) 8.3 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
openclaw / openclaw	`cpe:2.3:a:openclaw:openclaw:<2026.2.12:::::::*`