OpenClaw Authentication Boundary Bypass Vulnerability via Telegram Legacy Migration
Vulnerability
An authentication boundary vulnerability has been identified in OpenClaw versions prior to 2026.3.31. This vulnerability arises from the Telegram legacy allowFrom migration, which improperly transfers trust from the default account to all named accounts. As a result, attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.
Impact
Exploitation of this vulnerability allows for unauthorized access to named accounts by bypassing authentication controls, due to the improper transfer of trust from the default Telegram account to all named accounts.
Reproduction
To reproduce this vulnerability, first ensure that an OpenClaw version prior to 2026.3.31 is installed. Then, migrate the Telegram pairing allowFrom store, which will incorrectly fan out trust from the default account to all named accounts. This can be verified by checking the account access permissions, which will show that named accounts have been granted trust that should not have been transferred.
Remediation
Users can upgrade to OpenClaw version 2026.3.31 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.