5 matches found
Incorrect Authorization
Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the GROUP message dispatch process. An attacker can gain unauthorized access to restricted group message handling by sending GROUP messages from a sender not...
GHSA-534W-2VM4-89XR OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch
A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended...
GHSA-GW85-XP4Q-5GP9 OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...
GHSA-CCG8-46R6-9QGJ OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...
Protection Mechanism Failure
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Protection Mechanism Failure through improper validation of the docker.network configuration parameter. An attacker can gain unauthorized access to internal network resources by specifyin...