CVE-2026-35661
Authorization Bypass in OpenClaw Telegram Callback Allows Session Mutation
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of CVE-2026-35661 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-35661 is an authorization bypass vulnerability in OpenClaw versions before 2026.3.25 that affects Telegram callback query handling. The flaw allows remote attackers to bypass the normal direct message (DM) pairing requirements by exploiting weaker callback-only authorization mechanisms within Telegram DMs. This means attackers can mutate or modify the session state without proper authentication, using Telegram callback queries in private chats.
Technically, the vulnerability arises because Telegram callback queries in DMs used a weaker authorization check compared to standard DM commands, allowing unauthorized users to trigger callbacks and change session state without satisfying the usual DM pairing requirements.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to bypass authorization controls in Telegram direct messages, enabling them to modify session state without proper authentication. Such unauthorized session mutations can lead to unexpected or malicious behavior within the application using OpenClaw.
Because the flaw requires no privileges or user interaction and can be exploited remotely, it poses a moderate security risk. Attackers could potentially manipulate user sessions, which might affect the integrity of user data or application state.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection commands or network/system detection methods for this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-35661, you should update OpenClaw to version 2026.3.25 or later, which includes a patch that enforces proper direct message (DM) authorization for Telegram callback queries.
The patch modifies the Telegram bot handler logic to require the same sender authorization checks for DM callback queries as for standard DM commands, preventing unauthorized users from exploiting inline button callbacks in private chats.
Applying this update will close the authorization bypass vulnerability and prevent attackers from mutating session state without satisfying DM pairing requirements.