Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw Telegram Authorization Weakness: Usernames Can Be Stolen
CVE-2026-28480
GHSA-mj5r-hh7j-4gxf
Summary
If you use OpenClaw with Telegram, be aware that usernames can be changed, potentially allowing an unauthorized user to access your bot. To fix this, update to the latest version of OpenClaw, which now requires numeric IDs instead of usernames for authorization. If you're already using an older version, use the `openclaw doctor --fix` command to try to resolve usernames to IDs.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| steipete | clawdbot | <= 2026.1.24-3 | – |
Original title
OpenClaw Telegram allowlist authorization accepted mutable usernames
Original description
## Summary
Telegram allowlist authorization could match on `@username` (mutable/recyclable) instead of immutable numeric sender IDs.
## Impact
Operators who treat Telegram allowlists as strict identity controls could unintentionally grant access if a username changes hands (identity rebinding/spoof risk). This can allow an unauthorized sender to interact with the bot in allowlist mode.
## Affected Packages / Versions
- npm `openclaw`: <= 2026.2.13
- npm `clawdbot`: <= 2026.1.24-3
## Fix
Telegram allowlist authorization now requires numeric Telegram sender IDs only. `@username` allowlist principals are rejected.
A security audit warning was added to flag legacy configs that still contain non-numeric Telegram allowlist entries.
`openclaw doctor --fix` now attempts to resolve `@username` allowFrom entries to numeric IDs (best-effort; requires a Telegram bot token).
## Fix Commit(s)
- e3b432e481a96b8fd41b91273818e514074e05c3
- 9e147f00b48e63e7be6964e0e2a97f2980854128
Thanks @vincentkoc for reporting.
Telegram allowlist authorization could match on `@username` (mutable/recyclable) instead of immutable numeric sender IDs.
## Impact
Operators who treat Telegram allowlists as strict identity controls could unintentionally grant access if a username changes hands (identity rebinding/spoof risk). This can allow an unauthorized sender to interact with the bot in allowlist mode.
## Affected Packages / Versions
- npm `openclaw`: <= 2026.2.13
- npm `clawdbot`: <= 2026.1.24-3
## Fix
Telegram allowlist authorization now requires numeric Telegram sender IDs only. `@username` allowlist principals are rejected.
A security audit warning was added to flag legacy configs that still contain non-numeric Telegram allowlist entries.
`openclaw doctor --fix` now attempts to resolve `@username` allowFrom entries to numeric IDs (best-effort; requires a Telegram bot token).
## Fix Commit(s)
- e3b432e481a96b8fd41b91273818e514074e05c3
- 9e147f00b48e63e7be6964e0e2a97f2980854128
Thanks @vincentkoc for reporting.
nvd CVSS3.1
6.5
nvd CVSS4.0
6.9
Vulnerability type
CWE-290
CWE-284
Improper Access Control
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- https://nvd.nist.gov/vuln/detail/CVE-2026-28480
- https://github.com/advisories/GHSA-mj5r-hh7j-4gxf
- https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f298085...
- https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf
- https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-user...
Published: 18 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026