Home

Description

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-05 | Updated 2026-03-09 | Assigner VulnCheck




HIGH: 8.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

MEDIUM: 6.8CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Problem types

Missing Authentication for Critical Function

Product status

Default status
unaffected

Any version before 2026.2.12
affected

Credits

Petr Simecek (@simecek) reporter

Stanislav Fort, Aisle Research, www.aisle.com analyst

References

github.com/...enclaw/security/advisories/GHSA-mv9j-6xhh-g383 (GitHub Security Advisory (GHSA-mv9j-6xhh-g383)) vendor-advisory

github.com/...ommit/647d929c9d0fd114249230d939a5cb3b36dc70e7 (Patch Commit) patch

www.vulncheck.com/...mpering-via-nostr-plugin-http-endpoints (VulnCheck Advisory: OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints) third-party-advisory

cve.org (CVE-2026-28450)

nvd.nist.gov (CVE-2026-28450)

Download JSON