GHSA-H656-5VCF-CM23
Vulnerability from github – Published: 2026-03-03 19:08 – Updated: 2026-03-03 19:08Impact
In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version currently affected:
2026.2.23 - Vulnerable range:
<= 2026.2.23 - Patched in planned next release:
2026.2.24
Fix Commit(s)
9514201fb9b51de5d0b23151110d0ff5d9c8bd67
Technical Details
The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path.
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits.
OpenClaw thanks @v8hid for reporting.
Publication Update (2026-02-25)
openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.23"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-208",
"CWE-404",
"CWE-406",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T19:08:30Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Impact\n\nIn Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published version currently affected: `2026.2.23`\n- Vulnerable range: `\u003c= 2026.2.23`\n- Patched in planned next release: `2026.2.24`\n\n## Fix Commit(s)\n\n- `9514201fb9b51de5d0b23151110d0ff5d9c8bd67`\n\n## Technical Details\n\nThe Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path.\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.24`). After npm publish, the advisory can be published without further version-field edits.\n\nOpenClaw thanks @v8hid for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
"id": "GHSA-h656-5vcf-cm23",
"modified": "2026-03-03T19:08:30Z",
"published": "2026-03-03T19:08:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/9514201fb9b51de5d0b23151110d0ff5d9c8bd67"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.