PT-2026-31364 · Npm · Openclaw
Publicado
2026-03-29
·
Atualizado
2026-03-29
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Summary
Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Telegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit
269282ac69ab6030d5f30d04822668f607f13065 enforces DM authorization for callbacks.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit 269282ac69ab6030d5f30d04822668f607f13065.Fix Commit(s)
269282ac69ab6030d5f30d04822668f607f13065
Correção
Improper Authorization
Authentication Bypass Using an Alternate Path or Channel
Incorrect Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Openclaw