2 matches found
GHSA-6HF3-MHGC-CM65 OpenClaw session tool visibility hardening and Telegram webhook secret fallback
Vulnerability In some shared-agent deployments, OpenClaw session tools sessionslist, sessionshistory, sessionssend allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally...
GHSA-FHVM-J76F-QMJV OpenClaw has a potential access-group authorization bypass if channel type lookup fails
Summary When Telegram webhook mode is enabled without a configured webhook secret, OpenClaw may accept unauthenticated HTTP POST requests at the Telegram webhook endpoint and trust attacker-controlled update JSON. This can allow forged Telegram updates that spoof message.from.id / chat.id,...