Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.1

OpenClaw's Telegram Message Reaction Hack Allows Unauthorized Access

GHSA-qj22-xqjr-v83v
Summary

An OpenClaw update allowed unauthorized users to manipulate Telegram messages, potentially disrupting system events. To fix this, update OpenClaw to version 2026.2.25 or later. If you're using an affected version, review your authorization settings to prevent unauthorized access.

What to do
  • Update openclaw to version 2026.2.25.
Affected software
VendorProductAffected versionsFix available
– openclaw <= 2026.2.24 2026.2.25
Original title
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection
Original description
A missing sender-authorization check in Telegram `message_reaction` handling allowed unauthorized users to trigger reaction-derived system events.

## Affected Packages / Versions

- Package: `openclaw` (npm)
- Introduced: `2026.2.17`
- Affected: `>= 2026.2.17` and `<= 2026.2.24`
- Latest published at patch time: `2026.2.24`
- Patched in release: `2026.2.25`

## Impact

When reaction notifications are enabled, unauthorized Telegram senders could inject reaction system events despite configured DM/group authorization controls (`dmPolicy`, `allowFrom`, `groupPolicy`, `groupAllowFrom`).

## Fix Commit(s)

- `e56b0cf1a04f992ac6ebc775899f48ea31687640`

## Release Process Note

`patched_versions` is pre-set to the release (`2026.2.25`) so once npm release `2026.2.25` is published, this advisory can be published without further edits.

OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0 7.1
Vulnerability type
CWE-863 Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026