A critical vulnerability in the openclaw npm package exposes Telegram bots to unauthorized session manipulation. Versions up to 2026.3.24 allow inline button callbacks from direct messages to bypass DM pairing requirements and directly mutate session state. Attackers exploit this to hijack bot sessions without proper authorization. The flaw affects any project relying on openclaw for Telegram interactions, patched first in version 2026.3.25 via commit 269282ac69ab6030d5f30d04822668f607f13065.
Vulnerability Breakdown
Openclaw handles Telegram client logic, including bot callbacks and session management. Telegram’s inline keyboards let users trigger actions via callback queries, carrying data like callback_data up to 64 bytes. In direct messages (DMs), these normally require “DM pairing”—a handshake ensuring the sender matches the expected peer before processing sensitive operations.
Prior to the patch, openclaw enforced weaker callback-only authorization for DM-scoped queries. This skipped full DM pairing, letting any callback from a DM endpoint alter session state unchecked. Session state in Telegram clients stores critical data: user IDs, auth keys, chat histories, and pending actions. Mutating it could inject false data, escalate privileges, or trigger unintended commands.
Repro steps confirm the issue on tag v2026.3.24: Send a DM with an inline button, craft a callback query lacking pairing proof, and watch it update session variables. The fix in commit 269282ac69ab6030d5f30d04822668f607f13065 adds strict DM authorization checks, rejecting unpaired callbacks. Verified fixed on the main branch.
Why This Matters: Real-World Risks
Telegram hosts over 950 million monthly users, with bots managing everything from trading signals to crypto wallets. Openclaw, though niche, powers custom clients in security-sensitive apps—think DeFi notifications or private group admins. An attacker needs only a DM target and callback crafting tools like Telegram’s raw API or libraries such as Telethon.
Exploitation chain: 1) User interacts with malicious inline button in DM. 2) Callback bypasses pairing. 3) Session state flips—e.g., swaps user IDs, approves fake transactions, or leaks keys. In crypto contexts, this means drained wallets or forged signatures. No public exploits yet, but Telegram’s API openness invites script kiddies.
Scale it up: Bots with 10,000+ users amplify damage. Openclaw’s npm stats show modest downloads (under 1,000 weekly at last check), but dependencies chain risk. If your stack includes it indirectly, audit now. Broader lesson: Telegram libs often skimp on peer auth, echoing past flaws in GramJS or Pyrogram where callback floods DoS’d sessions.
Response and Prevention
Upgrade immediately to openclaw 2026.3.25 or later—the latest at advisory time was 2026.3.24, so pull from npm or GitHub. Run npm update openclaw and test DM callbacks. If pinned, bump your package.json and audit for regressions.
Verify the patch: Diff the commit— it inserts await this.pairing.assertCallback() or equivalent before state ops. Skeptical note: Version numbering (2026.x) suggests internal or pre-release builds; confirm your fork aligns. For custom Telegram code, always validate callback origins against chat IDs and use HMAC-signed data.
Beyond openclaw, harden bots: Rate-limit callbacks (Telegram caps at 1/sec/user), log all mutations, and segment sessions per user. Tools like Fail2Ban or custom WAFs block anomalous DMs. In crypto apps, isolate hot wallets from bot sessions. This vuln underscores why you audit deps weekly—npm’s 2 million packages hide needles like this.
Bottom line: Patch fast, but don’t stop there. Telegram’s ecosystem thrives on convenience, but security shortcuts bite. If you’re building on it, own your auth stack.
