PT-2026-22442 · Npm · Clawdbot+1
Published
2026-02-18
·
Updated
2026-02-18
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
Telegram allowlist authorization could match on
@username (mutable/recyclable) instead of immutable numeric sender IDs.Impact
Operators who treat Telegram allowlists as strict identity controls could unintentionally grant access if a username changes hands (identity rebinding/spoof risk). This can allow an unauthorized sender to interact with the bot in allowlist mode.
Affected Packages / Versions
- npm
openclaw: <= 2026.2.13 - npm
clawdbot: <= 2026.1.24-3
Fix
Telegram allowlist authorization now requires numeric Telegram sender IDs only.
@username allowlist principals are rejected.A security audit warning was added to flag legacy configs that still contain non-numeric Telegram allowlist entries.
openclaw doctor --fix now attempts to resolve @username allowFrom entries to numeric IDs (best-effort; requires a Telegram bot token).Fix Commit(s)
- e3b432e481a96b8fd41b91273818e514074e05c3
- 9e147f00b48e63e7be6964e0e2a97f2980854128
Thanks @vincentkoc for reporting.
Fix
Authentication Bypass by Spoofing
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Clawdbot
Openclaw