GHSA-w7m7-3xcf-mp48

Suggest an improvement
Source
https://github.com/advisories/GHSA-w7m7-3xcf-mp48
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-w7m7-3xcf-mp48/GHSA-w7m7-3xcf-mp48.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w7m7-3xcf-mp48
Withdrawn
2026-06-18T20:17:21Z
Published
2026-06-16T21:31:59Z
Modified
2026-06-18T20:30:25.205919939Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Duplicate Advisory: Zalo allowFrom could bind to mutable display names
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-8c59-hr4w-qg69. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.

Database specific
{
    "github_reviewed_at": "2026-06-18T20:17:21Z",
    "nvd_published_at": "2026-06-16T19:17:03Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-290"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / openclaw

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2026.5.2

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-w7m7-3xcf-mp48/GHSA-w7m7-3xcf-mp48.json"