Lucene search
K

5 matches found

Snyk
Snyk
added 2026/03/03 11:18 p.m.2 views

Incorrect Authorization

Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the GROUP message dispatch process. An attacker can gain unauthorized access to restricted group message handling by sending GROUP messages from a sender not...

5.3CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/03/03 11:18 p.m.7 views

GHSA-534W-2VM4-89XR OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch

A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended...

5.3CVSS5.9AI score
Exploits0References3
OSV
OSV
added 2026/03/03 11:3 p.m.6 views

GHSA-GW85-XP4Q-5GP9 OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch

Summary In openclaw versions 2026.2.22 and 2026.2.23, the optional synology-chat channel plugin had an authorization fail-open condition: when dmPolicy was allowlist and allowedUserIds was empty/unset, unauthorized senders were still allowed through to agent dispatch. This is assessed as medium...

5.3CVSS6AI score0.00321EPSS
Exploits0References6
OSV
OSV
added 2026/03/03 7:16 p.m.7 views

GHSA-CCG8-46R6-9QGJ OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode

Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...

8.8CVSS6AI score0.00276EPSS
Exploits0References5
Snyk
Snyk
added 2026/03/02 11:37 p.m.4 views

Protection Mechanism Failure

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Protection Mechanism Failure through improper validation of the docker.network configuration parameter. An attacker can gain unauthorized access to internal network resources by specifyin...

9.8CVSS5.9AI score0.00265EPSS
Exploits0References3
Rows per page
Query Builder