CVE-2026-35661
MEDIUMOpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass
Title source: cnaDescription
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-j4c9-w69r-cw33)
https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass
https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass
Scores
CVSS v3
5.3
EPSS
0.0029
EPSS Percentile
20.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-288
Status
published
Products (4)
npm/openclaw
0 - 2026.3.28npm
OpenClaw/OpenClaw
< 2026.3.25
openclaw/openclaw
< 2026.3.25
OpenClaw/OpenClaw
2026.3.25
Published
Apr 10, 2026
Tracked Since
Apr 10, 2026