OpenClaw's Telegram integration lets a user trigger an interactive callback that marks itself as an authorized sender before the commands.allowFrom check runs, effectively letting an unlisted Telegram user execute gated commands. There's no CVSS score, EPSS data, KEV listing, public exploit, or Nuclei template published yet, so this isn't an actively-exploited or scanner-ready bug today — but it's an authorization logic flaw (CWE-863) in a widely-deployed AI agent gateway with 4 downstream dependents and a track record of 425 other CVEs in the same package, which signals a maintenance/security-hygiene concern worth weighing before trusting it in production. The real exposure is any deployment that enables Telegram command callbacks and shares a single OpenClaw Gateway across users who shouldn't have equal command privileges. Patch to 2026.5.6 immediately; until then, restrict Telegram command callbacks to trusted chats only, and disable the feature entirely if it's not actively needed. Treat this as a priority patch for any Gateway exposed to a Telegram bot with mixed-trust membership, and audit logs for command executions attributed to senders outside your configured allowlist.
What is the risk?
High severity per the vendor advisory (CWE-863, Incorrect Authorization), but real-world risk is conditional: exploitation requires the affected Telegram callback feature to be enabled and reachable by a lower-trust user, and no CVSS vector, EPSS score, CISA KEV listing, public PoC, or Nuclei template currently exist to indicate active or trivial exploitation. The trust model OpenClaw documents (authenticated operators and installed plugins remain trusted) narrows blast radius to deployments that intentionally expose Telegram command callbacks to less-trusted senders — e.g., shared or multi-tenant Gateways. Given the package's large surface (425 other CVEs, package risk score 0/100, unknown last GitHub push), operational hygiene around this dependency should be treated with elevated scrutiny independent of this specific bug.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.5.5 | 2026.5.6 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
1 step-
1) Patch to OpenClaw >= 2026.5.6 immediately, where the allowlist check is enforced before the callback authorization flag is set. 2) Until patched, restrict Telegram command callbacks to trusted chats/groups only, and disable the affected callback feature entirely if not in active use. 3) Keep channel and tool allowlists as narrow as possible; avoid sharing a single Gateway instance between mutually untrusted users or tenants. 4) For detection, audit command-execution logs for any command attributed to a Telegram sender not present in the configured commands.allowFrom list, and review recent activity for anomalous command invocations correlating with callback interactions. 5) Given 425 other CVEs recorded against this package, treat OpenClaw as a higher-scrutiny dependency and monitor its advisory feed closely going forward.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-w5ww-7chg-mxcq?
OpenClaw's Telegram integration lets a user trigger an interactive callback that marks itself as an authorized sender before the commands.allowFrom check runs, effectively letting an unlisted Telegram user execute gated commands. There's no CVSS score, EPSS data, KEV listing, public exploit, or Nuclei template published yet, so this isn't an actively-exploited or scanner-ready bug today — but it's an authorization logic flaw (CWE-863) in a widely-deployed AI agent gateway with 4 downstream dependents and a track record of 425 other CVEs in the same package, which signals a maintenance/security-hygiene concern worth weighing before trusting it in production. The real exposure is any deployment that enables Telegram command callbacks and shares a single OpenClaw Gateway across users who shouldn't have equal command privileges. Patch to 2026.5.6 immediately; until then, restrict Telegram command callbacks to trusted chats only, and disable the feature entirely if it's not actively needed. Treat this as a priority patch for any Gateway exposed to a Telegram bot with mixed-trust membership, and audit logs for command executions attributed to senders outside your configured allowlist.
Is GHSA-w5ww-7chg-mxcq actively exploited?
No confirmed active exploitation of GHSA-w5ww-7chg-mxcq has been reported, but organizations should still patch proactively.
How to fix GHSA-w5ww-7chg-mxcq?
1) Patch to OpenClaw >= 2026.5.6 immediately, where the allowlist check is enforced before the callback authorization flag is set. 2) Until patched, restrict Telegram command callbacks to trusted chats/groups only, and disable the affected callback feature entirely if not in active use. 3) Keep channel and tool allowlists as narrow as possible; avoid sharing a single Gateway instance between mutually untrusted users or tenants. 4) For detection, audit command-execution logs for any command attributed to a Telegram sender not present in the configured commands.allowFrom list, and review recent activity for anomalous command invocations correlating with callback interactions. 5) Given 425 other CVEs recorded against this package, treat OpenClaw as a higher-scrutiny dependency and monitor its advisory feed closely going forward.
What systems are affected by GHSA-w5ww-7chg-mxcq?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent gateways, chat-based command interfaces.
What is the CVSS score for GHSA-w5ww-7chg-mxcq?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying `commands.allowFrom`. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could trigger command behavior outside the configured Telegram sender allowlist. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.5.6`. ### Mitigations restrict Telegram command callbacks to trusted chats until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
Exploitation Scenario
An unauthorized Telegram user who can reach an OpenClaw Gateway's bot (e.g., in a shared group chat, or because the bot responds to any DM) taps an interactive inline-keyboard callback exposed by the affected feature. The callback handler internally flags the interaction as coming from an authorized sender before the commands.allowFrom allowlist check executes, so the attacker's subsequent command request passes authorization despite never being on the allowlist. The attacker then invokes commands the operator intended to restrict to trusted senders only — potentially including agent tool calls, automation triggers, or administrative actions — without needing credentials, exploit tooling, or deep AI/ML expertise.
Weaknesses (CWE)
CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw