PT-2026-32313 · Npm · Openclaw

Published

2026-04-03

·

Updated

2026-04-03

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Summary

Telegram audio preflight transcription enables resource consumption by unauthorized senders

Current Maintainer Triage

  • Status: narrow
  • Normalized severity: medium
  • Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement, but the real impact is resource or billing burn rather than direct data exposure or host compromise.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • c4fa8635d03943ffe9e294d501089521dca635c5 — 2026-03-30T12:19:31+01:00
OpenClaw thanks @AntAISecurityLab for reporting.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-408CWE-770

Related Identifiers

GHSA-M6FX-M8HC-572M

Affected Products

Openclaw