Telegram audio transcription can waste resources for unauthorized senders in OpenClaw

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

Telegram audio transcription can waste resources for unauthorized senders in OpenClaw

GHSA-m6fx-m8hc-572m

Summary

An update to the OpenClaw software allows unauthorized Telegram group senders to use up your resources, such as CPU and storage. This is not a direct security threat, but it can cause financial issues if not addressed. Update to the latest version of OpenClaw (2026.3.31 or higher) to fix this issue.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders

Original description

## Summary
Telegram audio preflight transcription enables resource consumption by unauthorized senders

## Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement, but the real impact is resource or billing burn rather than direct data exposure or host compromise.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `c4fa8635d03943ffe9e294d501089521dca635c5` — 2026-03-30T12:19:31+01:00

OpenClaw thanks @AntAISecurityLab for reporting.

ghsa CVSS4.0 6.9

Vulnerability type

CWE-770 Allocation of Resources Without Limits

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026