Skip to content

OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check

Moderate severity GitHub Reviewed Published Feb 25, 2026 in openclaw/openclaw • Updated Mar 3, 2026

Package

npm openclaw (npm)

Affected versions

<= 2026.2.23

Patched versions

2026.2.24

Description

Impact

In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published version currently affected: 2026.2.23
  • Vulnerable range: <= 2026.2.23
  • Patched in planned next release: 2026.2.24

Fix Commit(s)

  • 9514201fb9b51de5d0b23151110d0ff5d9c8bd67

Technical Details

The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path.

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits.

OpenClaw thanks @v8hid for reporting.

Publication Update (2026-02-25)

openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.

References

@steipete steipete published to openclaw/openclaw Feb 25, 2026
Published to the GitHub Advisory Database Mar 3, 2026
Reviewed Mar 3, 2026
Last updated Mar 3, 2026

Severity

Moderate

EPSS score

Weaknesses

Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. Learn more on MITRE.

Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use. Learn more on MITRE.

Insufficient Control of Network Message Volume (Network Amplification)

The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor. Learn more on MITRE.

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-h656-5vcf-cm23

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.