2 matches found
CVE-2026-32039
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutab...
GHSA-WPPH-CJGR-7C39 OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
Summary channels..groups..toolsBySender could match a privileged sender policy using a colliding mutable identity value for example senderName or senderUsername when deployments used untyped keys. The fix introduces explicit typed sender keys id:, e164:, username:, name:, keeps legacy untyped key...