GHSA-h656-5vcf-cm23: OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check

March 3, 2026

In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied.

References

github.com/advisories/GHSA-h656-5vcf-cm23
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/9514201fb9b51de5d0b23151110d0ff5d9c8bd67
github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23

Code Behaviors & Features

Detect and mitigate GHSA-h656-5vcf-cm23 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →