OpenClaw (Clawdbot) Telegram Username Identity Confusion Vulnerability (CVE-2026-XXXXX) – Medium

Listen to this Post

The vulnerability resides in the authorization mechanism for Telegram allowlists within OpenClaw (and its predecessor Clawdbot). Prior to the patch, the system allowed configuration files to list Telegram principals (users) by their `@username` (e.g., "allowFrom": ["@john_doe"]) instead of strictly requiring the immutable numeric `Telegram User ID` (e.g., "123456789"). Telegram usernames are mutable and subject to recycling; they can be changed by the user or released and re-registered by a different individual. An attacker can exploit this by acquiring a username previously listed in a bot’s allowlist. When the vulnerable bot receives a message from the new owner of that username, it matches the incoming sender against the `@username` string in the list, incorrectly authorizing the attacker. This effectively bypasses the intended identity control (allowlist), allowing an unauthorized actor to interact with the AI agent, potentially accessing its tools, context, and connected services as if they were a trusted user .

DailyCVE Form:

Platform: OpenClaw/Clawdbot
Version: ≤ 2026.2.13/1.24-3
Vulnerability: Username Identity Rebinding
Severity: Medium
Date: February 18, 2026

Prediction: Patches applied

What Undercode Say:

Detection:

To check if your current configuration uses the vulnerable `@username` format, inspect your `openclaw.json` or `clawdbot.json` files.

Check for non-numeric entries in Telegram allowlists
grep -E '"allowFrom".:.[' config/openclaw.json | grep -E '@|"[a-zA-Z]'

Verification:

Verify the numeric ID of a known Telegram user to compare against the required secure format.

Using a Telegram bot to get the numeric ID of a user (requires bot token)
curl -s "https://api.telegram.org/bot<YOUR_BOT_TOKEN>/getUpdates" | jq '.result[].message.from.id'

Exploit:

An attacker simply needs to register a Telegram username that was previously trusted by a vulnerable bot.

1. `Victim Config`: `”allowFrom”: [“@trusted_user”]`

  1. Legitimate User: Changes their username to something else and releases @trusted_user.

3. `Attacker`: Registers the newly available `@trusted_user`.

  1. Attack: Sends a message to the bot: /start. The bot sees the sender as `@trusted_user` (matching the allowlist) and grants access, while the correct behavior would be to check the immutable ID, which is now different.

Protection:

Update to the latest patched version immediately. After updating, run the provided doctor tool to automatically resolve usernames to their numeric IDs .

Update the package
npm update -g openclaw
Run the fix utility to resolve usernames to numeric IDs
openclaw doctor --fix
Manually ensure all "allowFrom" entries are integers
Example secure config:
"telegram": {
"dmPolicy": "allowlist",
"allowFrom": ["123456789", "987654321"]
}

Impact:

Successful exploitation leads to a complete failure of the allowlist as an identity control. An attacker can interact with the AI agent, potentially leading to:
– Unauthorized access to the agent’s conversation history and context.
– Ability to trigger tools and skills the agent has access to (e.g., reading files, making API calls).
– Social engineering of the agent to perform actions on connected platforms.
– Exfiltration of data processed by the agent .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top