PT-2026-25462 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Impact
In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version currently affected:
2026.2.23 - Vulnerable range:
<= 2026.2.23 - Patched in planned next release:
2026.2.24
Fix Commit(s)
9514201fb9b51de5d0b23151110d0ff5d9c8bd67
Technical Details
The Telegram handler flow now enforces DM authorization before media download/write paths execute, including media-group handling. Inbound channel activity tracking was also moved to run after DM authorization in the Telegram message context path.
Release Process Note
patched versions is pre-set to the planned next release (2026.2.24). After npm publish, the advisory can be published without further version-field edits.OpenClaw thanks @v8hid for reporting.
Publication Update (2026-02-25)
openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.Improper Resource Release
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw