OpenClaw Authorization Bypass Vulnerability in Telegram Allowlist Matching

A vulnerability exists in OpenClaw versions prior to 2026.2.14, allowing an authorization bypass in Telegram integrations. The issue arises because the allowlist matching process accepts mutable usernames instead of the required immutable numeric sender IDs. This flaw enables attackers to spoof identities by using recycled usernames to circumvent allowlist restrictions, allowing unauthorized interaction with bots.

Impact

Exploitation of this vulnerability could lead to unauthorized access and interaction with bots, bypassing established allowlist controls.

Reproduction

To reproduce this vulnerability, configure a Telegram bot with allowlist entries that include usernames instead of numeric IDs. When the bot receives messages from users with recycled usernames that are now allowed by the allowlist, it will treat them as authorized senders, despite them being unauthorized.

Remediation

Users are advised to update to OpenClaw version 2026.2.14 or later, where this vulnerability has been patched. After updating, run the 'openclaw doctor --fix' command to resolve any remaining '@username' entries in the allowlist to their corresponding numeric IDs.