CVE-2026-28448
Access Control Bypass in OpenClaw Twitch Plugin Enables Remote Abuse
Publication date: 2026-03-05
Last updated on: 2026-03-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | From 2026.1.29 (inc) to 2026.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
OpenClaw versions 2026.1.29 prior to 2026.2.1 have a vulnerability in the Twitch plugin where the allowFrom allowlist is not enforced if the allowedRoles setting is unset or empty.
This flaw allows unauthorized Twitch users to mention the bot in Twitch chat and bypass access controls, triggering the agent dispatch process.
As a result, attackers can invoke the agent pipeline remotely without proper authorization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized users triggering the agent pipeline, which may cause unintended actions within the system.
Additionally, it can result in resource exhaustion due to repeated or malicious invocations of the agent dispatch.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know