Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw versions 2026.2.22 prior to 2026.2.24 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks to dispatch unauthorized messages to downstream agents and tools.
AnalysisAI
Synology OpenClaw versions prior to 2026.2.24 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail to enforce access controls. Authenticated attackers with Synology sender privileges can exploit this flaw to send unauthorized messages through downstream agents and tools. A patch is available.
Technical ContextAI
The vulnerability exists in OpenClaw's synology-chat channel plugin, which integrates with Synology Chat for message routing and agent communication. The affected component implements a dmPolicy (dispatch management policy) authorization mechanism that relies on an allowlist validation pattern. When the allowlist mode is enabled but the allowedUserIds field is left empty, the validation logic fails open—a classic CWE-863 (Incorrect Authorization) flaw—rather than failing secure by denying all access. The CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* indicates this affects the core OpenClaw application across all configurations. The root cause is improper input validation on the allowedUserIds configuration parameter; empty or missing allowlists should trigger an explicit deny policy rather than permit access to all authenticated senders.
RemediationAI
Upgrade OpenClaw to version 2026.2.24 or later, which includes fixes committed in the repository (references: https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5 and https://github.com/openclaw/openclaw/commit/7655c0cb3a47d0647cbbf5284e177f90b4b82ddb). Prior to patching, organizations should immediately audit synology-chat channel plugin configurations and ensure that any dmPolicy set to allowlist mode has non-empty, explicitly defined allowedUserIds values; disable the plugin or implement upstream network access controls if allowlist cannot be properly configured. Monitor Synology Chat integration logs for unauthorized message dispatch attempts and review downstream agent execution logs for anomalous activity.
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authe
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allo
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remot
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allo
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to exec
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 all
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to acce
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14595
GHSA-gpwv-vx7w-xqm4