19 matches found
CVE-2026-33578
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots...
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
Summary When only a route-level group allowlist was configured, sender policy resolution silently downgraded from allowlist to open instead of preserving the configured group policy. Impact Any member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the...
GHSA-63MG-XP9J-JFCM OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
Summary When only a route-level group allowlist was configured, sender policy resolution silently downgraded from allowlist to open instead of preserving the configured group policy. Impact Any member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the...
EUVD-2026-17435
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade...
CVE-2026-33578
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots...
CVE-2026-33578 OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots...
CVE-2026-33578
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots...
CVE-2026-33578
OpenClaw before version 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions, where route-level group allowlist policies silently downgrade to an open policy. This flaw lets attackers bypass sender restrictions and interact with bots despite configure...
CVE-2026-33578 OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots...
PT-2026-29258
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description The software contains a sender policy bypass issue in the Google Chat and Zalouser extensions. Route-level group allowlist policies are silently downgraded to open policy, allowing attackers to...
EUVD-2026-17014
OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages...
CVE-2026-32975
OpenClaw before 2026.3.12 exposes a weak authorization issue in Zalouser allowlist mode: the system matches mutable group display names rather than stable group identifiers, allowing attackers to craft groups with identical names to bypass channel authorization and route messages from unintended ...
CVE-2026-32975 OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist
OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages...
CVE-2026-32975 OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist
OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages...
OpenClaw 安全漏洞
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. A security vulnerability exists in versions prior to OpenClaw 2026.3.12 that stems from a weak authorization issue in the Zalouser whitelisting schema that matches variable group display names instead of stable group...
PT-2026-28456
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.12 Description The software contains a weak authorization issue in Zalouser allowlist mode. The system incorrectly matches mutable group display names instead of stable group identifiers. This allows attackers...
Incorrect Authorization
Overview @openclaw/zalouser is an OpenClaw Zalo Personal Account plugin via native zca-js integration Affected versions of this package are vulnerable to Incorrect Authorization in the channels.zalouser.groups. An attacker can gain unauthorized access to restricted channels by reusing a display...
OpenClaw's Zalouser allowlist authorization matched mutable group names by default
Summary OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be...
GHSA-F5MF-3R52-R83W OpenClaw's Zalouser allowlist authorization matched mutable group names by default
Summary OpenClaw's Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be...