3 matches found
CVE-2026-53857
OpenClaw before 2026.5.3 is vulnerable: the policy enforcement flaw allows Zalo display-name changes to influence allowFrom policy matching, causing attackers with mutable display names to receive responses intended for other Zalo identities when the feature is enabled. Affected product: OpenClaw...
PT-2026-49038
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.27 Description An authorization bypass exists in QQBot pre-dispatch slash commands. This issue allows authenticated senders to skip allowFrom policy checks, enabling them to invoke slash commands before...
CVE-2026-35621 OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence
OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal...