OpenClaw 4.5 regression: Telegram approval prompts can surface in the wrong DM

[telos-oc]

OpenClaw 4.5 regression: Telegram approval prompts can surface in the wrong DM, leaking host-approval actions across chats

Summary

After upgrading to v2026.4.5, a host approval prompt initiated while investigating Jeffe's Telegram DM surfaced in Sarah's separate Telegram DM. Sarah is allowlisted to chat with the assistant, but she is not the initiator of the command and should not receive approval prompts for work started in Jeffe's DM.

This appears to be a Telegram DM routing/approval-context leak, not just a normal permission check.

Impact

• Host approval prompts can be delivered to the wrong Telegram DM
• A different allowlisted user may see internal diagnostic commands started from another person's conversation
• This is a cross-chat isolation failure, not just a UX issue
• It risks accidental approval/denial by the wrong person

Concrete example

Sarah received an approval prompt for this host diagnostic command:

python3 - <<'PY'
import json
p='/Users/telos/.openclaw/agents/main/sessions/sessions.json'
with open(p) as f:
 data=json.load(f)
for k,v in data.items():
 if '8439007096' in k or ('origin' in v and ('8439007096' in json.dumps(v.get('origin',{})) or '8439007096' in json.dumps(v.get('deliveryContext',{})))):
 print('KEY:', k)
 print(json.dumps(v, indent=2)[:6000])
 print('---')
PY

Approval id shown to Sarah:

• 71b2f6a2-77d7-48ee-bec0-d9c33edfcd08

That command was initiated during investigation of Jeffe's DM session, not Sarah's.

Expected behavior

• Approval prompts should only surface in the chat/session that initiated the pending command
• Allowlisted users should not see approvals for commands started from another user's DM
• Approval authority should stay bound to the originating conversation context

Actual behavior

• Approval prompt surfaced in Sarah's DM even though the command belonged to Jeffe's investigation flow
• This occurred despite Sarah not appearing to have an active Telegram DM session entry in sessions.json

Evidence

Session map evidence

Live sessions.json lookup found Jeffe's Telegram entries, but not Sarah's:

• Found:
  • agent:main:telegram:direct:8439007096
  • agent:main:telegram:slash:8439007096
• Not found:
  • 8586126983
  • 8351575041

This suggests Sarah's approval prompt did not originate from a normal Sarah-bound session entry.

Runtime behavior

• Jeffe initiated host-level diagnostics in his Telegram DM
• Sarah received the approval prompt for one of those commands
• Gateway/runtime otherwise remained operational

Suspected root cause

Likely one of the following in 4.5 Telegram approval routing:

1. approval prompts are using stale Telegram DM reply-target state
2. approval prompts are keyed too loosely by channel/account rather than originating chat/session
3. direct-message routing is leaking across allowlisted Telegram users when no active session entry exists for the recipient
4. approval UI delivery path is using the wrong conversation context after a reset/new-session/remap event

Given the parallel DM instability observed elsewhere in 4.5, this may share root cause with Telegram direct-session state handling.

Why this is serious

This is not just a delayed message problem. It crosses a trust boundary:

• one user can receive operational approval prompts created by another user's session
• the wrong person can see command details and potentially approve or deny them

Suggested repro

1. Configure Telegram with multiple allowlisted DM users
2. Start a host-approval-requiring diagnostic from Jeffe's DM
3. Have another allowlisted Telegram user with prior DM history present in the system
4. Trigger approval flow during or after DM reset/remap conditions
5. Observe whether approval prompt surfaces in the wrong DM

Suggested fix directions

1. Bind approval delivery strictly to originating sessionKey plus originating chat id
2. Refuse fallback delivery of approvals to any other DM when original chat context is missing or stale
3. Add logging that records approval id -> originating session key -> delivered chat id
4. Add regression tests for multiple allowlisted Telegram DMs with concurrent/pending approvals
5. Audit any fallback path that chooses lastChannel, lastTo, or channel-global state for approval delivery

Environment

• OpenClaw v2026.4.5
• macOS
• Telegram enabled
• Multiple allowlisted Telegram users
• Approval leak observed across separate Telegram DMs

[neeravmakwana]

Opened a fix that routes native exec approval origin resolution through the same turn-source-aware session target helper as forwarding, so stale session lastChannel/lastTo cannot disagree with the approval request turn metadata and widen delivery (see #62817).

[neeravmakwana]

Re-opened after the PR limit auto-close: #62829 (supersedes closed #62817).

[steipete]

Closing this as implemented after Codex review.

Current main already routes exec approval delivery from turn-source metadata instead of stale session routing, Telegram native approvals use that shared origin-target path, and the changelog says this fix shipped in v2026.2.26. The issue discussion also already pointed to PRs #62817/#62829 as the fix path for this exact regression.

What I checked:

• Shipped changelog entry: The 2026.2.26 changelog fixes include: Security/Exec approvals forwarding: prefer turn-source channel/account/thread metadata when resolving approval delivery targets so stale session routes do not misroute approval prompts.. (CHANGELOG.md:3922, c997a9f9788e)
• Forwarder now passes turn-source routing fields: defaultResolveSessionTarget(...) forwards turnSourceChannel, turnSourceTo, turnSourceAccountId, and turnSourceThreadId into approval target resolution instead of relying only on stored session route state. (src/infra/exec-approval-forwarder.ts:314, c997a9f9788e)
• Approval target resolution prefers turn-source delivery metadata: resolveExecApprovalSessionTarget(...) resolves delivery through resolveSessionDeliveryTarget(...) with turn-source channel/account/thread inputs, which is the exact guard against stale lastChannel / lastTo routing widening delivery. (src/infra/exec-approval-session-target.ts:138, c997a9f9788e)
• Telegram native approvals use shared origin-target resolver: Telegram's approval adapter builds resolveTelegramOriginTarget with createChannelNativeOriginTargetResolver(...), so Telegram approval delivery is bound through the shared turn-source-aware origin/session matching path. (extensions/telegram/src/approval-native.ts:67, c997a9f9788e)
• Regression coverage for stale-session misrouting: The infra test explicitly asserts that approval routing prefers turn-source routing over stale session delivery state, covering the failure mode described in this issue. (src/infra/exec-approval-session-target.test.ts:160, c997a9f9788e)
• Issue discussion already identified the fix path: The issue comments from neeravmakwana linked PR #62817 and then superseding PR #62829 as the fix for this exact Telegram approval-routing leak. (issue #62718)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against c997a9f9788e; fix evidence: release v2026.2.26.