CVE-2026-31998
OpenClaw 2026.2.22 and 2026.2.23 contain an authorization bypass in the synology-chat channel plugin when dmPolicy is set to allowlist with empty allowedUserIds, allowing attackers with Synology sender access to bypass checks and trigger unauthorized agent dispatch and downstream tool actions. Af...