5 matches found
Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqp8-q22p-5j9q This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that...
Improper Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authorization in the webhook process. An attacker can gain unauthorized access to direct message policies by exploiting a path collision in the multi-account configuration,...
Improper Authorization
Overview @openclaw/synology-chat is a Synology Chat channel plugin for OpenClaw Affected versions of this package are vulnerable to Improper Authorization in the webhook process. An attacker can gain unauthorized access to direct message policies by exploiting a path collision in the multi-accoun...
CVE-2026-32899 OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers
OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction and pin non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from...
EUVD-2026-13304
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...