GHSA-534w-2vm4-89xr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-534w-2vm4-89xr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-534w-2vm4-89xr/GHSA-534w-2vm4-89xr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-534w-2vm4-89xr
- Downstream
- Published
- 2026-03-03T23:18:26Z
- Modified
- 2026-03-04T15:11:34.403518Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch
- Details
-
A missing group-sender authorization check in the Zalo plugin allowed unauthorized
GROUPmessages to enter agent dispatch paths in configurations intended to restrict group traffic.Impact
When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended group allowlist could still trigger agent processing through the
GROUPmessage path.Root Cause
Group access checks were not consistently enforced before dispatch for Zalo
GROUPmessages. The fix adds explicit runtime group-policy evaluation (groupPolicy,groupAllowFrom, fallback toallowFrom) and fail-closed behavior for missing provider config.Affected Packages / Versions
- Package:
openclaw(npm) - Latest published vulnerable version:
2026.2.23(as of 2026-02-24) - Affected range:
<= 2026.2.23 - Planned patched version:
2026.2.24
Fix Commit(s)
b4010a0b627025c809c0e5dbdbd4770f3bc59ef8
OpenClaw thanks @tdjackey for reporting.
Publication Update (2026-02-25)
openclaw@2026.2.24is published on npm and contains the fix commit(s) listed above. This advisory now marks>= 2026.2.24as patched. - Package:
- Database specific
{ "github_reviewed_at": "2026-03-03T23:18:26Z", "github_reviewed": true, "cwe_ids": [ "CWE-284", "CWE-863" ], "nvd_published_at": null, "severity": "MODERATE" }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw