CVE-2026-33578: Sender Policy Bypass via Incorrect Authorization in OpenClaw Extensions
Vulnerability ID: CVE-2026-33578
CVSS Score: 4.3
Published: 2026-04-01
OpenClaw versions prior to 2026.3.28 contain a vulnerability in the googlechat and zalouser extensions that allows unauthorized users to bypass sender policy restrictions. A logic error in policy resolution causes route-level group allowlists to silently downgrade to an "open" policy if no specific sender-level allowlist is configured.
TL;DR
A logic flaw in OpenClaw's Google Chat and Zalo extensions allows users to bypass authorization controls. Group-level allowlists downgrade to an open policy if explicit sender lists are empty, allowing unauthorized command execution.
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS v3.1: 4.3
- CVSS v4.0: 5.3
- Exploit Status: Unexploited / Configuration Dependent
- KEV Status: Not Listed
Affected Systems
- OpenClaw googlechat extension (< 2026.3.28)
- OpenClaw zalouser extension (< 2026.3.28)
-
OpenClaw: < 2026.3.28 (Fixed in:
2026.3.28)
Code Analysis
Commit: e64a881
Fix sender policy allowlist bypass in googlechat and zalouser extensions
Mitigation Strategies
- Upgrade OpenClaw software to version 2026.3.28 or later
- Populate all active group policies with explicit sender allowlists to prevent state downgrade
- Audit active configurations to identify empty
allowFromarrays
Remediation Steps:
- Identify the current version of OpenClaw running in the environment.
- Pull the latest OpenClaw release (>= 2026.3.28) from the official repository.
- Rebuild and redeploy the application.
- Review the
config.groupsconfiguration file across all extensions. - For any group configuration utilizing allowlists, add at least one authorized user ID to the sender list to prevent bypass conditions in unpatched instances.
References
Read the full report for CVE-2026-33578 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)