GHSA-63mg-xp9j-jfcm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-63mg-xp9j-jfcm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-63mg-xp9j-jfcm/GHSA-63mg-xp9j-jfcm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-63mg-xp9j-jfcm
- Aliases
-
- CVE-2026-33578
- Downstream
- Published
- 2026-04-01T00:01:10Z
- Modified
- 2026-04-06T17:05:23.034010Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
- Details
-
Summary
When only a route-level group allowlist was configured, sender policy resolution silently downgraded from
allowlisttoopeninstead of preserving the configured group policy.Impact
Any member of an allowlisted Google Chat space or Zalouser group could interact with the bot even when the operator intended sender-level restrictions.
Affected Component
extensions/googlechat/src/monitor-access.ts, extensions/zalouser/src/monitor.tsFixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit
e64a881ae0(Channels: preserve routed group policy).OpenClaw thanks @AntAISecurityLab for reporting.
- Affected:
- Database specific
{ "nvd_published_at": "2026-03-31T15:16:14Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-863" ], "github_reviewed_at": "2026-04-01T00:01:10Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm
- https://nvd.nist.gov/vuln/detail/CVE-2026-33578
- https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4
- https://github.com/openclaw/openclaw
- https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw