Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 npm packages depend on openclaw (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.28.
DescriptionCVE.org
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.
AnalysisAI
Authorization policy bypass in OpenClaw messaging extensions allows unauthenticated remote attackers to circumvent sender allowlist restrictions and interact with bots without authorization. The vulnerability affects OpenClaw versions prior to 2026.3.28, specifically impacting Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy during resolution. With CVSS 9.8 (critical severity, network-accessible, no authentication required) and EPSS data unavailable, this represents a significant access control failure. No public exploit identified at time of analysis, though the attack complexity is low and requires no user interaction.
Technical ContextAI
OpenClaw is a messaging bot framework that implements sender policy controls to restrict which users can interact with bot endpoints. The vulnerability stems from improper authorization (CWE-863) in the policy resolution mechanism for Google Chat and Zalouser extensions. When route-level group allowlist policies are configured to restrict sender access, the framework incorrectly downgrades these restrictive policies to open policy during runtime policy resolution. This silent policy downgrade effectively nullifies the intended access control, treating allowlist-protected routes as publicly accessible. The flaw affects the core authorization enforcement logic in affected extensions, not the policy configuration interface itself. According to CPE data (cpe:2.3:a:openclaw:openclaw), this is a vulnerability in the OpenClaw application framework rather than a third-party dependency issue.
RemediationAI
Upgrade immediately to OpenClaw version 2026.3.28 or later, which contains the fix for the policy resolution flaw. The vendor-released patch is available via the GitHub repository commit e64a881ae0fb8af18e451163f4c2d611d60cc8e4 (https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4). Organizations unable to upgrade immediately should disable Google Chat and Zalouser extensions until patching is complete, or implement additional authentication layers at the network or application gateway level to compensate for the failed sender allowlist enforcement. Review bot access logs for unexpected sender interactions that may indicate prior exploitation of the policy bypass. Consult the official security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm and VulnCheck's analysis at https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions for additional context.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17435
GHSA-63mg-xp9j-jfcm