Improper access control in OpenClaw - #VU128780
Published: May 1, 2026
Vulnerability identifier: #VU128780
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote attacker to trigger unauthorized media download and disk write activity.
The vulnerability exists due to improper access control in the Telegram DM handler when processing inbound media messages before sender authorization checks complete. A remote attacker can send unauthorized media messages, including media groups, to trigger unauthorized media download and disk write activity.
The issue affects Telegram DM mode, and inbound channel activity tracking in the Telegram message context path also occurred after authorization logic was corrected.
Remediation
Install security update from vendor's website.