OpenClaw before 2026.3.25 contains an authorization bypass flaw in the handling of Telegram callback queries. The flaw allows an attacker to modify the service’s session state by exploiting a weaker authorization check that is triggered when a callback is received within a direct message context. Because the callback query bypasses the normal direct‑message pairing requirement, an unauthorized user can inject or change session tokens and other stateful data. This flaw is classified as CWE‑288 – Authorization Bypass By Privilege Escalation, and it grants the attacker the ability to tamper with session integrity and potentially gain unauthorized control over the bot’s operations.

The vulnerability affects installations of OpenClaw version 2026.3.24 and earlier. Systems running the open source OpenClaw software on Node.js that are used to process Telegram bot interactions are susceptible. Specifically, any deployment that processes Telegram callback queries—and that has not upgraded beyond the 2026.3.25 release— may be exploitable. The affected component is the callback query handler in the Telegram integration of OpenClaw.

The CVSS base score of 6.9 indicates a medium to high severity, reflecting the potential for significant data or control compromise in a production bot. The EPSS score is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, so no public exploit evidence is documented. The attack vector is remote, as the flaw is triggered by Telegram messages sent from an external user. An attacker only needs to send a specially crafted callback query over Telegram; no authentication is required beyond the existing messaging channel. Given the lack of mitigations from the service side, an exploit can succeed if the victim bot remains open to direct messages. Therefore, prompt remediation is advised.