Telegram Migration in OpenClaw Allows Unauthorized Access to Some Accounts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.1

Telegram Migration in OpenClaw Allows Unauthorized Access to Some Accounts

GHSA-f693-58pc-2gfr

Summary

A recent update to OpenClaw, a tool for migrating Telegram accounts, has a security issue that could allow unauthorized access to some accounts. This is a low-level risk, but it's still important to update to the latest version to ensure your account remains secure. If you're using OpenClaw, please update to version 2026.3.31 or later to fix this issue.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.31	2026.3.31

Original title

OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts

Original description

## Summary
Telegram legacy allowFrom migration fans default-account trust into all named accounts

## Current Maintainer Triage
- Normalized severity: low
- Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00

OpenClaw thanks @smaeljaish771 for reporting.

osv CVSS4.0 8.1

Vulnerability type

CWE-732 Incorrect Permission Assignment for Critical Resource

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026