Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix [Bug]: WhatsApp gateway sends message to Telegram user ID interpreted as phone number during config recovery [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#56839Fetched 2026-04-08 01:47:08
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
bencoremansbencoremans
Participants
bencoremansbencoremans

During a config recovery scenario (config reset to defaults, WhatsApp gateway reconnecting), the WhatsApp channel sent an error message to a Telegram user ID that was incorrectly interpreted as a phone number. The Telegram user ID XXXXXXXXXX (10 digits) was treated as an international phone number +X XXX XXX-XX-X0, causing the message to be delivered to an unrelated third party via WhatsApp.

Error Message

During a config recovery scenario (config reset to defaults, WhatsApp gateway reconnecting), the WhatsApp channel sent an error message to a Telegram user ID that was incorrectly interpreted as a phone number. The Telegram user ID XXXXXXXXXX (10 digits) was treated as an international phone number +X XXX XXX-XX-X0, causing the message to be delivered to an unrelated third party via WhatsApp. 4. Cron jobs fail with "LLM request failed: network connection error." 5. The error delivery mechanism attempts to send the error via WhatsApp, but uses the Telegram user ID as the WhatsApp destination phone number Error messages should only be routed to the correct channel using the correct identifier format. A Telegram user ID should never be interpreted as a WhatsApp phone number. Cross-channel identifier confusion should be prevented by validating the identifier format against the target channel's expected format (phone number for WhatsApp, numeric chat ID for Telegram). The WhatsApp gateway sent the error message "LLM request failed: network connection error." to the Telegram user ID interpreted as an international phone number. The message was delivered to an unrelated third-party WhatsApp account in a foreign country. The user's own WhatsApp chat history shows the message as outbound (sent from their linked WhatsApp number to the foreign number). Multiple cron jobs show lastError: "LLM request failed: network connection error." and lastDeliveryError: "LLM request failed: network connection error." in the cron job state during the incident window (2026-03-28 ~14:00-20:00 UTC). The user's WhatsApp chat shows an outbound message (green bubble, single checkmark) sent to a foreign number that is numerically identical to their Telegram user ID. The message content is exactly "LLM request failed: network connection error." — the standard OpenClaw LLM failure error string.

  • Consequence: (1) User's WhatsApp number is exposed to an unrelated third party, (2) internal system error messages are sent to external parties, (3) in a worse scenario, actual message content (not just errors) could be misdirected

Root Cause

During a config recovery scenario (config reset to defaults, WhatsApp gateway reconnecting), the WhatsApp channel sent an error message to a Telegram user ID that was incorrectly interpreted as a phone number. The Telegram user ID XXXXXXXXXX (10 digits) was treated as an international phone number +X XXX XXX-XX-X0, causing the message to be delivered to an unrelated third party via WhatsApp.

Fix Action

Fix / Workaround

Workaround: Ensure WhatsApp gateway is fully disconnected before performing config resets, or disable cron jobs before config changes.

RAW_BUFFERClick to expand / collapse

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

During a config recovery scenario (config reset to defaults, WhatsApp gateway reconnecting), the WhatsApp channel sent an error message to a Telegram user ID that was incorrectly interpreted as a phone number. The Telegram user ID XXXXXXXXXX (10 digits) was treated as an international phone number +X XXX XXX-XX-X0, causing the message to be delivered to an unrelated third party via WhatsApp.

Steps to reproduce

  1. Have a multi-channel setup with both Telegram and WhatsApp configured
  2. Have cron jobs configured with delivery.to or target fields referencing Telegram chat IDs (e.g., telegram:XXXXXXXXXX)
  3. Trigger a config crisis: reset config to defaults while WhatsApp gateway is reconnecting
  4. Cron jobs fail with "LLM request failed: network connection error."
  5. The error delivery mechanism attempts to send the error via WhatsApp, but uses the Telegram user ID as the WhatsApp destination phone number

Expected behavior

Error messages should only be routed to the correct channel using the correct identifier format. A Telegram user ID should never be interpreted as a WhatsApp phone number. Cross-channel identifier confusion should be prevented by validating the identifier format against the target channel's expected format (phone number for WhatsApp, numeric chat ID for Telegram).

Actual behavior

The WhatsApp gateway sent the error message "LLM request failed: network connection error." to the Telegram user ID interpreted as an international phone number. The message was delivered to an unrelated third-party WhatsApp account in a foreign country. The user's own WhatsApp chat history shows the message as outbound (sent from their linked WhatsApp number to the foreign number).

OpenClaw version

2026.3.24 (cff6dc9)

Operating system

Linux 6.8.0-101-generic (x64) — Docker container

Install method

Docker (docker-compose)

Model

cliproxy/claude-haiku-4-5-20251001 (cron jobs), cliproxy/claude-opus-4-6 (main)

Provider / routing chain

openclaw -> cliproxyapi (local container) -> anthropic

Additional provider/model setup details

Multi-channel configuration: Telegram (primary) + WhatsApp (secondary). Multiple cron jobs configured with Telegram-specific delivery targets (telegram:<user_id>). During the incident, the config had been reset to Hostinger defaults, causing temporary misconfiguration of both channels simultaneously. The WhatsApp gateway was in the process of reconnecting (session re-link via QR).

Logs, screenshots, and evidence

Multiple cron jobs show lastError: "LLM request failed: network connection error." and lastDeliveryError: "LLM request failed: network connection error." in the cron job state during the incident window (2026-03-28 ~14:00-20:00 UTC).

The user's WhatsApp chat shows an outbound message (green bubble, single checkmark) sent to a foreign number that is numerically identical to their Telegram user ID. The message content is exactly "LLM request failed: network connection error." — the standard OpenClaw LLM failure error string.

Cron configurations reference target fields like telegram:XXXXXXXXXX and to: telegram:XXXXXXXXXX in delivery blocks. During config recovery, the channel prefix may have been stripped or ignored, causing the numeric ID to be passed directly to the WhatsApp send function.

Impact and severity

  • Affected: Any multi-channel deployment (Telegram + WhatsApp) during config recovery/reconnection
  • Severity: High — messages are sent to unrelated third parties (privacy/data leak vector)
  • Frequency: Edge case — requires config reset + WhatsApp reconnection + cron failure coinciding
  • Consequence: (1) User's WhatsApp number is exposed to an unrelated third party, (2) internal system error messages are sent to external parties, (3) in a worse scenario, actual message content (not just errors) could be misdirected

Additional information

The core issue appears to be missing channel-identifier validation. When a delivery target like telegram:1234567890 is processed during a degraded state (config partially loaded, WhatsApp reconnecting), the telegram: prefix may be stripped or the routing logic may fall back to WhatsApp without validating that the remaining numeric ID is a valid phone number.

Suggested fix: Add identifier format validation before sending on any channel:

  • WhatsApp: validate E.164 phone number format (starts with +, country code, correct length)
  • Telegram: validate numeric chat ID (no phone format)
  • Never allow cross-channel identifier passthrough without explicit format validation

Workaround: Ensure WhatsApp gateway is fully disconnected before performing config resets, or disable cron jobs before config changes.

extent analysis

Fix Plan

To resolve the issue, we need to add identifier format validation before sending messages on any channel. Here are the steps:

  • Validate WhatsApp phone numbers: Ensure the number starts with "+", has a correct country code, and meets the E.164 format length requirements.
  • Validate Telegram chat IDs: Verify that the ID is numeric and does not match the phone number format.
  • Prevent cross-channel identifier passthrough: Never allow an identifier to be passed to a different channel without explicit format validation.

Example code snippet in Python:

import re

def validate_whatsapp_phone_number(phone_number):
    """Validate WhatsApp phone number format"""
    pattern = re.compile(r'^\+[1-9]\d{1,14}$')
    return bool(pattern.match(phone_number))

def validate_telegram_chat_id(chat_id):
    """Validate Telegram chat ID format"""
    pattern = re.compile(r'^\d+$')
    return bool(pattern.match(chat_id))

def send_message(channel, identifier):
    """Send message on the specified channel with identifier validation"""
    if channel == 'whatsapp':
        if not validate_whatsapp_phone_number(identifier):
            raise ValueError("Invalid WhatsApp phone number format")
    elif channel == 'telegram':
        if not validate_telegram_chat_id(identifier):
            raise ValueError("Invalid Telegram chat ID format")
    # Send the message on the validated channel
    # ...

Verification

To verify the fix, test the following scenarios:

  • Send a message on WhatsApp with a valid phone number.
  • Send a message on WhatsApp with an invalid phone number (e.g., without the "+" prefix).
  • Send a message on Telegram with a valid chat ID.
  • Send a message on Telegram with an invalid chat ID (e.g., containing non-numeric characters).
  • Attempt to send a message on WhatsApp with a Telegram chat ID (should raise an error).

Extra Tips

  • Ensure that the validation logic is applied consistently across all channels and message types.
  • Consider adding additional validation for other channel-specific identifier formats.
  • Review the code for any potential security vulnerabilities or data leaks.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

Error messages should only be routed to the correct channel using the correct identifier format. A Telegram user ID should never be interpreted as a WhatsApp phone number. Cross-channel identifier confusion should be prevented by validating the identifier format against the target channel's expected format (phone number for WhatsApp, numeric chat ID for Telegram).

#api#conversation history#tool integration#LLM response#prompt template

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING