OpenClaw Authorization Bypass Vulnerability in Telegram Callback Query Handling
Vulnerability
A vulnerability allowing authorization bypass in Telegram callback query handling has been identified in OpenClaw versions prior to 2026.3.25. This vulnerability allows remote attackers to bypass normal direct message (DM) pairing requirements and mutate session state. The issue arises from weaker callback-only authorization in direct messages, enabling attackers to exploit the vulnerability and modify session state without adhering to standard DM pairing protocols.
Impact
Exploitation of this vulnerability allows for unauthorized modification of session state in Telegram direct messages, bypassing normal authorization requirements.
Reproduction
The vulnerability can be reproduced by sending a callback query from a direct message using an unpaired user account. The callback will be processed without the usual authorization checks, allowing the session state to be altered.
Remediation
Users can upgrade to OpenClaw version 2026.3.25 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.