Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable via Telegram (AV:N) but requires a specific callback-ordering trick (AC:H); attacker must be an authenticated Telegram user (PR:L) and gains full command-execution impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.5.6.
DescriptionCVE.org
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions.
AnalysisAI
Authorization bypass in OpenClaw prior to 2026.5.6 allows authenticated Telegram users to circumvent the commands.allowFrom sender allowlist by invoking interactive callbacks that mark the caller as authorized before validation runs. Reported by VulnCheck with a vendor patch available, this CWE-863 flaw lets attackers execute restricted command behaviors outside configured Telegram sender restrictions, though no public exploit identified at time of analysis.
Technical ContextAI
OpenClaw integrates with Telegram and exposes interactive callback handlers tied to bot commands. The commands.allowFrom configuration is intended to restrict which Telegram sender IDs may invoke commands, but the callback processing path applies an authorization side effect (marking the user as an authorized sender) before consulting the allowlist. This is a textbook CWE-863 Incorrect Authorization issue: the access decision is made in the wrong order relative to state that the attacker controls, so the check is effectively self-attesting. CPE coverage targets cpe:2.3:a:openclaw:openclaw across all versions up to the fixed release.
RemediationAI
Upgrade OpenClaw to version 2026.5.6 or later, which is the vendor-released patch referenced in GHSA-w5ww-7chg-mxcq (https://github.com/openclaw/openclaw/security/advisories/GHSA-w5ww-7chg-mxcq). If immediate patching is not possible, restrict access to the Telegram bot by reducing the bot's exposure (for example, move the bot to a private group whose membership is itself the trust boundary, or rotate the bot token and limit who knows it) so that arbitrary authenticated Telegram users cannot reach the callback handlers; note this loses the convenience of public/invitational use. Audit recent Telegram command activity for senders not present in commands.allowFrom and consider temporarily disabling sensitive interactive callbacks until the upgrade is applied, accepting the loss of those bot features in exchange for a closed bypass path.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36313
GHSA-5chm-94mp-c9cg