CVE-2026-32975

CRITICAL

9.8

Descricao

OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages from unintended groups to the agent.

Detalhes CVE

Pontuacao CVSS v3.19.8

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado3/29/2026

Ultima modificacao3/30/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

openclaw:openclaw

Fraquezas (CWE)

CWE-807

Referencias

https://github.com/openclaw/openclaw/security/advisories/GHSA-f5mf-3r52-r83w(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-weak-authorization-via-mutable-group-names-in-zalouser-allowlist(disclosure@vulncheck.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.