CVE-2026-35661
Received Received - Intake
Authorization Bypass in OpenClaw Telegram Callback Allows Session Mutation

Publication date: 2026-04-10

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35661
EUVD
EUVD-2026-21468
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-35661 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-35661 is an authorization bypass vulnerability in OpenClaw versions before 2026.3.25 that affects Telegram callback query handling. The flaw allows remote attackers to bypass the normal direct message (DM) pairing requirements by exploiting weaker callback-only authorization mechanisms within Telegram DMs. This means attackers can mutate or modify the session state without proper authentication, using Telegram callback queries in private chats.

Technically, the vulnerability arises because Telegram callback queries in DMs used a weaker authorization check compared to standard DM commands, allowing unauthorized users to trigger callbacks and change session state without satisfying the usual DM pairing requirements.

Impact Analysis

This vulnerability allows remote attackers to bypass authorization controls in Telegram direct messages, enabling them to modify session state without proper authentication. Such unauthorized session mutations can lead to unexpected or malicious behavior within the application using OpenClaw.

Because the flaw requires no privileges or user interaction and can be exploited remotely, it poses a moderate security risk. Attackers could potentially manipulate user sessions, which might affect the integrity of user data or application state.

Detection Guidance

There is no specific information provided about detection commands or network/system detection methods for this vulnerability.

Mitigation Strategies

To mitigate CVE-2026-35661, you should update OpenClaw to version 2026.3.25 or later, which includes a patch that enforces proper direct message (DM) authorization for Telegram callback queries.

The patch modifies the Telegram bot handler logic to require the same sender authorization checks for DM callback queries as for standard DM commands, preventing unauthorized users from exploiting inline button callbacks in private chats.

Applying this update will close the authorization bypass vulnerability and prevent attackers from mutating session state without satisfying DM pairing requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35661. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart