CVE-2026-28448
Received Received - Intake
Access Control Bypass in OpenClaw Twitch Plugin Enables Remote Abuse

Publication date: 2026-03-05

Last updated on: 2026-03-11

Assigner: VulnCheck

Description
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28448
EUVD
EUVD-2026-9898
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.1.29 (inc) to 2026.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

OpenClaw versions 2026.1.29 prior to 2026.2.1 have a vulnerability in the Twitch plugin where the allowFrom allowlist is not enforced if the allowedRoles setting is unset or empty.

This flaw allows unauthorized Twitch users to mention the bot in Twitch chat and bypass access controls, triggering the agent dispatch process.

As a result, attackers can invoke the agent pipeline remotely without proper authorization.

Impact Analysis

This vulnerability can lead to unauthorized users triggering the agent pipeline, which may cause unintended actions within the system.

Additionally, it can result in resource exhaustion due to repeated or malicious invocations of the agent dispatch.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart