PT-2026-31364 · Npm · Openclaw
Published
2026-03-29
·
Updated
2026-03-29
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Summary
Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Affected Packages / Versions
- Package:
openclaw - Affected versions:
<= 2026.3.24 - First patched version:
2026.3.25 - Latest published npm version at verification time:
2026.3.24
Details
Telegram callback queries from direct messages previously used weaker callback-only authorization and could mutate session state without satisfying normal DM pairing. Commit
269282ac69ab6030d5f30d04822668f607f13065 enforces DM authorization for callbacks.Verified vulnerable on tag
v2026.3.24 and fixed on main by commit 269282ac69ab6030d5f30d04822668f607f13065.Fix Commit(s)
269282ac69ab6030d5f30d04822668f607f13065
Fix
Improper Authorization
Authentication Bypass Using an Alternate Path or Channel
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw