Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug]: Telegram media download fails with "Blocked: resolves to private/internal/special-use IP address" for large files [1 pull requests, 5 comments, 5 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#57452Fetched 2026-04-08 01:49:30
View on GitHub
Comments
5
Participants
5
Timeline
27
Reactions
0
Author
waswongwaswong
Participants
cisiqocisiqogoxofygoxofyHasan36arnobHasan36arnobobviyusobviyuswaswongwaswong
Timeline (top)
mentioned ×6subscribed ×6commented ×5referenced ×5

OpenClaw version: 2026.3.28 Channel: Telegram File size: Any, but large files (15MB+) more likely to trigger consistently

Description: Since the 2026.3.28 update, PDF files (and other media) sent via Telegram fail to download with the error: "⚠️ Failed to download media. Please try again."

Gateway logs show: [security] blocked URL fetch (url-fetch) target=https://api.telegram.org/file/bot.../documents/file_XX.pdf reason=Blocked: resolves to private/internal/special-use IP address

Root cause identified: In auth-profiles-B5ypC5S-.js, the Telegram SSRF policy sets allowRfc2544BenchmarkRange: false, while Discord, Signal, and other channels set it to true. When Telegram's CDN file servers resolve to RFC 2544 benchmark range IPs, the SSRF check blocks the download.

The relevant code in auth-profiles-B5ypC5S-.js line ~130072: function buildTelegramMediaSsrfPolicy(apiRoot) { return { hostnameAllowlist: hostnames, ...allowedHostnames ? { allowedHostnames } : {}, allowRfc2544BenchmarkRange: false // ← This is the problem }; }

Compare with Discord's policy (line ~199026): allowRfc2544BenchmarkRange: true // ← Discord allows it

Expected behavior: Telegram media downloads should succeed, just as Discord, Signal, and other channels do for the same CDN IP ranges.

Suggested fix: Either:

  1. Change allowRfc2544BenchmarkRange: false → true for Telegram media SSRF policy, OR
  2. Make it configurable via channels.telegram.mediaSsrfPolicy.allowRfc2544BenchmarkRange

Workaround: None via config — the SSRF policy is hardcoded in the bundle.

Error Message

Since the 2026.3.28 update, PDF files (and other media) sent via Telegram fail to download with the error: "⚠️ Failed to download media. Please try again." Since the 2026.3.28 update, PDF files (and other media) sent via Telegram fail to download with the error: "⚠️ Failed to download media. Please try again." PDF files (and other media) sent via Telegram fail to download with the error: "⚠️ Failed to download media. Please try again."

Root Cause

Root cause identified: In auth-profiles-B5ypC5S-.js, the Telegram SSRF policy sets allowRfc2544BenchmarkRange: false, while Discord, Signal, and other channels set it to true. When Telegram's CDN file servers resolve to RFC 2544 benchmark range IPs, the SSRF check blocks the download.

Fix Action

Fix / Workaround

Workaround: None via config — the SSRF policy is hardcoded in the bundle.

PR fix notes

PR #57624: fix(telegram): allow RFC 2544 benchmark IPs in media download SSRF policy (#57452)

Description (problem / solution / changelog)

Summary

Telegram CDN file servers sometimes resolve to IPs in the RFC 2544 benchmark range (198.18.0.0/15). The Telegram SSRF policy set allowRfc2544BenchmarkRange: false, blocking legitimate media downloads and causing "Failed to download media" errors for voice messages, PDFs, and other files.

Root Cause

buildTelegramMediaSsrfPolicy() in extensions/telegram/src/bot/delivery.resolve-media.ts set allowRfc2544BenchmarkRange: false while Discord and Slack both set it to true. When Telegram's CDN servers resolve to addresses in the 198.18.0.0/15 range, the SSRF check rejects the download.

Changes

  • extensions/telegram/src/bot/delivery.resolve-media.ts: change allowRfc2544BenchmarkRange from false to true, matching Discord and Slack behavior
  • extensions/telegram/src/bot/delivery.resolve-media-retry.test.ts: update test expectations to match

Test

All 23 tests pass in delivery.resolve-media-retry.test.ts.

Closes #57452 Closes #57564

Changed files

  • CHANGELOG.md (modified, +1/-0)
  • extensions/telegram/src/bot/delivery.resolve-media-retry.test.ts (modified, +2/-2)
  • extensions/telegram/src/bot/delivery.resolve-media.ts (modified, +1/-1)
RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

OpenClaw version: 2026.3.28 Channel: Telegram File size: Any, but large files (15MB+) more likely to trigger consistently

Description: Since the 2026.3.28 update, PDF files (and other media) sent via Telegram fail to download with the error: "⚠️ Failed to download media. Please try again."

Gateway logs show: [security] blocked URL fetch (url-fetch) target=https://api.telegram.org/file/bot.../documents/file_XX.pdf reason=Blocked: resolves to private/internal/special-use IP address

Root cause identified: In auth-profiles-B5ypC5S-.js, the Telegram SSRF policy sets allowRfc2544BenchmarkRange: false, while Discord, Signal, and other channels set it to true. When Telegram's CDN file servers resolve to RFC 2544 benchmark range IPs, the SSRF check blocks the download.

The relevant code in auth-profiles-B5ypC5S-.js line ~130072: function buildTelegramMediaSsrfPolicy(apiRoot) { return { hostnameAllowlist: hostnames, ...allowedHostnames ? { allowedHostnames } : {}, allowRfc2544BenchmarkRange: false // ← This is the problem }; }

Compare with Discord's policy (line ~199026): allowRfc2544BenchmarkRange: true // ← Discord allows it

Expected behavior: Telegram media downloads should succeed, just as Discord, Signal, and other channels do for the same CDN IP ranges.

Suggested fix: Either:

  1. Change allowRfc2544BenchmarkRange: false → true for Telegram media SSRF policy, OR
  2. Make it configurable via channels.telegram.mediaSsrfPolicy.allowRfc2544BenchmarkRange

Workaround: None via config — the SSRF policy is hardcoded in the bundle.

Steps to reproduce

Since the 2026.3.28 update, PDF files (and other media) sent via Telegram fail to download with the error: "⚠️ Failed to download media. Please try again."

Expected behavior

Expected behavior: Telegram media downloads should succeed, just as Discord, Signal, and other channels do for the same CDN IP ranges.

Actual behavior

PDF files (and other media) sent via Telegram fail to download with the error: "⚠️ Failed to download media. Please try again."

OpenClaw version

2026.3.28

Operating system

MacOS 26.3.1 (25D2128)

Install method

npm global

Model

minimax m2.7

Provider / routing chain

openclaw->opentourter->minimaxm2.7

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

extent analysis

Fix Plan

To resolve the issue with Telegram media downloads, we need to update the allowRfc2544BenchmarkRange setting in the Telegram SSRF policy.

Option 1: Hardcode the fix

Update the buildTelegramMediaSsrfPolicy function in auth-profiles-B5ypC5S-.js to set allowRfc2544BenchmarkRange to true:

function buildTelegramMediaSsrfPolicy(apiRoot) {
  return {
    hostnameAllowlist: hostnames,
    ...allowedHostnames ? { allowedHostnames } : {},
    allowRfc2544BenchmarkRange: true  // Update this line
  };
}

Option 2: Make it configurable

Alternatively, you can make the allowRfc2544BenchmarkRange setting configurable via the channels.telegram.mediaSsrfPolicy object. To do this, update the buildTelegramMediaSsrfPolicy function to use a configurable value:

const telegramMediaSsrfPolicy = channels.telegram.mediaSsrfPolicy;

function buildTelegramMediaSsrfPolicy(apiRoot) {
  return {
    hostnameAllowlist: hostnames,
    ...allowedHostnames ? { allowedHostnames } : {},
    allowRfc2544BenchmarkRange: telegramMediaSsrfPolicy.allowRfc2544BenchmarkRange
  };
}

Then, add a configuration option for channels.telegram.mediaSsrfPolicy.allowRfc2544BenchmarkRange and set it to true.

Verification

To verify that the fix worked, try downloading a PDF file or other media via Telegram. The download should succeed without displaying the "⚠️ Failed to download media. Please try again." error.

Extra Tips

  • Make sure to test the fix with large files (15MB+) to ensure that the issue is fully resolved.
  • Consider adding additional logging or monitoring to detect similar issues in the future.
  • If you choose to make the allowRfc2544BenchmarkRange setting configurable, ensure that you properly validate and sanitize user-inputted values to prevent security vulnerabilities.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

Expected behavior: Telegram media downloads should succeed, just as Discord, Signal, and other channels do for the same CDN IP ranges.

#api#ssr#embedding generation#cache error#pipeline error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

openclaw - ✅(Solved) Fix [Bug]: Telegram media download fails with "Blocked: resolves to private/internal/special-use IP address" for large files [1 pull requests, 5 comments, 5 participants]