Search for vulnerabilities
| Vulnerability ID | VCID-4t15-ucme-rfds |
| Aliases |
GHSA-h656-5vcf-cm23
|
| Summary | OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity (including media groups) even when DM access should be denied. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 6.2 |
| Risk | 3.1 |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | MODERATE | https://github.com/advisories/GHSA-h656-5vcf-cm23 |
| generic_textual | MODERATE | https://github.com/openclaw/openclaw |
| generic_textual | MODERATE | https://github.com/openclaw/openclaw/commit/9514201fb9b51de5d0b23151110d0ff5d9c8bd67 |
| cvssv3.1_qr | MODERATE | https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23 |
| generic_textual | MODERATE | https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23 |
| Reference id | Reference type | URL |
|---|---|---|
| https://github.com/openclaw/openclaw | ||
| https://github.com/openclaw/openclaw/commit/9514201fb9b51de5d0b23151110d0ff5d9c8bd67 | ||
| GHSA-h656-5vcf-cm23 | https://github.com/advisories/GHSA-h656-5vcf-cm23 | |
| GHSA-h656-5vcf-cm23 | https://github.com/openclaw/openclaw/security/advisories/GHSA-h656-5vcf-cm23 |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-30T21:07:31.783207+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openclaw/GHSA-h656-5vcf-cm23.yml | 38.6.0 |