← Zuruck zu CVEs

CVE-2026-31998

HIGH

8.6

Beschreibung

OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.

CVE Details

CVSS v3.1 Bewertung8.6

SchweregradHIGH

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht3/19/2026

Zuletzt geandert3/25/2026

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

openclaw:openclaw

Schwachen (CWE)

CWE-863

Referenzen

https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/commit/7655c0cb3a47d0647cbbf5284e177f90b4b82ddb(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-gw85-xp4q-5gp9(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-synology-chat-plugin-via-empty-alloweduserids(disclosure@vulncheck.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.