EUVD-2026-17435
GHSA-63mg-xp9j-jfcm
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.
Analysis
Authorization policy bypass in OpenClaw messaging extensions allows unauthenticated remote attackers to circumvent sender allowlist restrictions and interact with bots without authorization. The vulnerability affects OpenClaw versions prior to 2026.3.28, specifically impacting Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy during resolution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all OpenClaw instances and document current versions in use across Google Chat and Zalouser integrations. Within 7 days: Apply vendor patch to upgrade all OpenClaw installations to version 2026.3.28 or later, testing in non-production environments first. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today