Telegram App: Unsecured Accounts Can Be Tricked into Trusting Malicious Users

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.3

Telegram App: Unsecured Accounts Can Be Tricked into Trusting Malicious Users

GHSA-f693-58pc-2gfr

Summary

The Telegram app's OpenClaw package, used in some versions of the app, allows malicious users to trick accounts into trusting them without verifying their identity. This means a user could pretend to be someone they're not and gain access to sensitive information or conversations. Update to the latest version of OpenClaw to fix this issue.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts

Original description

## Summary
Telegram legacy allowFrom migration fans default-account trust into all named accounts

## Current Maintainer Triage
- Normalized severity: low
- Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00

OpenClaw thanks @smaeljaish771 for reporting.

ghsa CVSS4.0 6.3

Vulnerability type

CWE-732 Incorrect Permission Assignment for Critical Resource

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026