Description
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.
Published: 2026-03-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Identity Spoofing via Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.14 allow attackers to spoof the identity of a Telegram user by using mutable usernames instead of the intended immutable numeric sender IDs. This flaw lets an adversary obtain a username that has been recycled by a legitimate user and use it to pass an allowlist check, thereby interacting with bots as an unauthorized sender. The weakness is an authorization bypass flaw (CWE-290) affecting confidentiality and integrity of bot interactions.

Affected Systems

OpenClaw "OpenClaw" implementations running any Node.js environment that employ Telegram allowlist authorization. The vulnerability affects all versions before 2026.2.14; no specific sub-version details were supplied beyond the major release. Users of older releases are at risk unless they upgrade.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, but the EPSS score of less than 1 % suggests a low probability of exploitation under the current threat landscape. The vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker could observe or predict the recycling of a username to impersonate an allowed user without any privileged credentials. It is also inferred that the exploit can be performed remotely and without user interaction once the allowlist logic is disclosed.

Generated by OpenCVE AI on April 17, 2026 at 12:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.14 or newer to apply the fix that enforces immutable numeric sender IDs in the allowlist.
  • Reconfigure the Telegram allowlist to validate against sender IDs rather than usernames, ensuring the logic matches the hardened check in the patched release.
  • Implement monitoring or audit logging to detect attempts to use self‑altered usernames against the allowlist, and consider disabling the allowlist feature if migration is delayed.

Generated by OpenCVE AI on April 17, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mj5r-hh7j-4gxf OpenClaw Telegram allowlist authorization accepted mutable usernames
History

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.
Title OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-290
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T20:58:49.810Z

Reserved: 2026-02-27T19:20:32.111Z

Link: CVE-2026-28480

cve-icon Vulnrichment

Updated: 2026-03-09T20:58:46.361Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:22.610

Modified: 2026-03-17T17:49:51.037

Link: CVE-2026-28480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses