OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade

Summary When only a route-level group allowlist was configured, sender policy resolution silently downgraded from allowlist to open instead of preserving the configured group policy. Impact Any member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the...

CVE-2026-33578

OpenClaw before version 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions, where route-level group allowlist policies silently downgrade to an open policy. This flaw lets attackers bypass sender restrictions and interact with bots despite configure...

CVE-2026-33578 OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions

OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots...

CVE-2019-16791

In postfix-mta-sts-resolver before 0.5.1, All users can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS policy...

Linux Distros Unpatched Vulnerability : CVE-2019-16791

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In postfix-mta-sts-resolver before 0.5.1, All users can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS polic...