GHSA-qj22-xqjr-v83v: OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection

March 3, 2026

A missing sender-authorization check in Telegram message_reaction handling allowed unauthorized users to trigger reaction-derived system events.

References

github.com/advisories/GHSA-qj22-xqjr-v83v
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/e56b0cf1a04f992ac6ebc775899f48ea31687640
github.com/openclaw/openclaw/security/advisories/GHSA-qj22-xqjr-v83v

Code Behaviors & Features

Detect and mitigate GHSA-qj22-xqjr-v83v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →