Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-28450

updated 6 days, 12 hours ago by @mweinelt Activity log

Created automatic suggestion 1 week, 1 day ago
@mweinelt dismissed 6 days, 12 hours ago

OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.

References

Patch Commit patch
VulnCheck Advisory: OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints third-party-advisory
GitHub Security Advisory (GHSA-mv9j-6xhh-g383) vendor-advisory

Affected products

OpenClaw

<2026.2.12

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable -
- nixpkgs-unstable 2026.2.26
- nixos-unstable-small 2026.2.26

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Unaffected, never had 2026.2.12 or older.

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers