OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion

Summary openclaw versions = 2026.3.12 read and buffered Telegram webhook request bodies before validating x-telegram-bot-api-secret-token. This let unauthenticated callers force up to the configured webhook body limit of pre-auth body I/O and JSON parse work per request. Affected Packages /...

OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access

Summary In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay via loopback WebSocket and use CDP to access cookies from other open tabs and run JavaScript ...

PT-2026-20324

Name of the Vulnerable Software and Affected Versions openclaw versions prior to 2026.2.1 Description In Telegram webhook mode, if channels.telegram.webhookSecret is not set, the software may accept webhook HTTP requests without verifying Telegram’s secret token header. This can allow forged...