CVE-2026-28480

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3

Description The Telegram allowlist authorization mechanism incorrectly matched on mutable usernames (@username) instead of immutable numeric sender IDs. This allowed attackers to spoof identity by obtaining recycled usernames, bypassing allowlist restrictions and interacting with bots as unauthorized senders. This poses an identity rebinding and spoofing risk for operators who rely on Telegram allowlists as strict identity controls. The issue was addressed by requiring numeric Telegram sender IDs for allowlist authorization and rejecting usernames. A security audit warning was added to flag legacy configurations containing non-numeric Telegram allowlist entries. The openclaw doctor --fix command now attempts to resolve username allowFrom entries to numeric IDs.

Recommendations Versions prior to 2026.2.14: Update to version 2026.2.14 or later. Versions prior to 2026.1.24-3: Update to version 2026.1.24-3 or later. Run openclaw doctor --fix to resolve any legacy configurations containing non-numeric Telegram allowlist entries.