PT-2026-25480 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
A missing sender-authorization check in Telegram
message reaction handling allowed unauthorized users to trigger reaction-derived system events.Affected Packages / Versions
- Package:
openclaw(npm) - Introduced:
2026.2.17 - Affected:
>= 2026.2.17and<= 2026.2.24 - Latest published at patch time:
2026.2.24 - Patched in release:
2026.2.25
Impact
When reaction notifications are enabled, unauthorized Telegram senders could inject reaction system events despite configured DM/group authorization controls (
dmPolicy, allowFrom, groupPolicy, groupAllowFrom).Fix Commit(s)
e56b0cf1a04f992ac6ebc775899f48ea31687640
Release Process Note
patched versions is pre-set to the release (2026.2.25) so once npm release 2026.2.25 is published, this advisory can be published without further edits.OpenClaw thanks @tdjackey for reporting.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw