Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-28448

updated 6 days, 13 hours ago by @mweinelt Activity log

Created automatic suggestion 1 week, 1 day ago
@mweinelt dismissed 6 days, 13 hours ago

OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.

References

Patch Commit patch
VulnCheck Advisory: OpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access Control third-party-advisory
GitHub Security Advisory (GHSA-33rq-m5x2-fvgf) vendor-advisory

Affected products

OpenClaw

<2026.2.1

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable -
- nixpkgs-unstable 2026.2.26
- nixos-unstable-small 2026.2.26

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Unaffected, never had 2026.2.1 or older.

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers