Main Vulnerability Database Vulnerabilities #VU128760

Incorrect authorization in OpenClaw - #VU128760

Published: May 1, 2026

Vulnerability identifier: #VU128760

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to inject unauthorized system events.

The vulnerability exists due to incorrect authorization in Telegram message_reaction handling when processing reaction notifications. A remote attacker can send reaction updates from an unauthorized sender to inject unauthorized system events.

Only instances with reaction notifications enabled are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v
https://github.com/openclaw/openclaw/commit/e56b0cf1a04f992ac6ebc775899f48ea31687640

Incorrect authorization in OpenClaw - #VU128760

Detailed vulnerability description

Remediation

Sources

Please verify you're human