CVE
GHSA-qj22-xqjr-v83v
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection
A missing sender-authorization check in Telegram message_reaction handling allowed unauthorized users to trigger reaction-derived system events.
Affected Packages / Versions
- Package:
openclaw(npm) - Introduced:
2026.2.17 - Affected:
>= 2026.2.17and<= 2026.2.24 - Latest published at patch time:
2026.2.24 - Patched in release:
2026.2.25
Impact
When reaction notifications are enabled, unauthorized Telegram senders could inject reaction system events despite configured DM/group authorization controls (dmPolicy, allowFrom, groupPolicy, groupAllowFrom).
Fix Commit(s)
e56b0cf1a04f992ac6ebc775899f48ea31687640
Release Process Note
patched_versions is pre-set to the release (2026.2.25) so once npm release 2026.2.25 is published, this advisory can be published without further edits.
OpenClaw thanks @tdjackey for reporting.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v, https://github.com/openclaw/openclaw/commit/e56b0cf1a04f992ac6ebc775899f48ea31687640, https://github.com/openclaw/openclaw
Basic Information
Ecosystem
