Search for vulnerabilities
| Vulnerability ID | VCID-pvr1-9q4b-rbam |
| Aliases |
CVE-2026-28450
GHSA-mv9j-6xhh-g383 |
| Summary | OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering The OpenClaw Nostr channel plugin (optional, disabled by default, installed separately) exposes profile management HTTP endpoints under `/api/channels/nostr/:accountId/profile` (GET/PUT) and `/api/channels/nostr/:accountId/profile/import` (POST). In affected versions, these routes were dispatched via the gateway plugin HTTP layer without requiring gateway authentication, allowing unauthenticated remote callers to read or mutate the Nostr profile and persist changes to the gateway config. Profile updates are also published as a signed Nostr kind:0 event using the bot's private key. Deployments that do not have the Nostr plugin installed and enabled are not impacted. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| There are no known severity scores. | ||
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-02T04:50:08.582100+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openclaw/GHSA-mv9j-6xhh-g383.yml | 38.6.0 |