PT-2026-33873 · Openclaw+1 · Openclaw
Antaisecuritylab
·
Published
2026-04-03
·
Updated
2026-04-21
·
CVE-2026-41331
CVSS v4.0
6.9
Medium
| AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Summary
Telegram audio preflight transcription enables resource consumption by unauthorized senders
Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement, but the real impact is resource or billing burn rather than direct data exposure or host compromise.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
c4fa8635d03943ffe9e294d501089521dca635c5— 2026-03-30T12:19:31+01:00
OpenClaw thanks @AntAISecurityLab for reporting.
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw