OpenClaw Flaws Let Attackers Bypass Group Allowlists and Sender Policies
Two high-severity vulnerabilities in OpenClaw exposed weaknesses in how the platform enforced messaging restrictions in its chat integrations. CVE-2026-32975 affects versions before 2026.3.12 and stems from weak authorization in Zalouser allowlist mode, where access checks used mutable group display names instead of stable group identifiers. That design allowed an attacker to create a group with the same name as an allowlisted group and bypass channel authorization, potentially causing messages from unintended groups to be routed to the agent.
A second flaw, CVE-2026-33578, affects versions before 2026.3.28 in the Google Chat and Zalouser extensions. In that case, route-level group allowlist policies could silently downgrade to an open sender policy, letting attackers bypass configured sender restrictions and interact with bots that should have been limited to approved groups. Both issues were rated high severity with impact to confidentiality, integrity, and availability, and advisories and code references were published alongside fixes in newer OpenClaw releases.
Timeline
Mar 31, 2026
CVE-2026-33578 disclosed for OpenClaw policy downgrade flaw
A high-severity vulnerability, CVE-2026-33578, was publicly disclosed affecting OpenClaw versions before 2026.3.28. The flaw was classified as CWE-863 and described as a policy resolution weakness that let attackers interact with bots despite configured allowlist controls.
Mar 29, 2026
CVE-2026-32975 disclosed for OpenClaw authorization bypass
A high-severity vulnerability, CVE-2026-32975, was publicly disclosed affecting OpenClaw versions before 2026.3.12. The issue was classified as CWE-807 and described as enabling unauthorized message routing from unintended groups to the agent.
Mar 28, 2026
OpenClaw fixes sender policy bypass in version 2026.3.28
OpenClaw released version 2026.3.28 to fix a sender policy allowlist bypass affecting the Google Chat and Zalouser extensions. The bug caused route-level group allowlist policies to silently downgrade to an open policy, allowing attackers to bypass sender restrictions.
Mar 12, 2026
OpenClaw fixes weak authorization flaw in version 2026.3.12
OpenClaw released version 2026.3.12 to address a weak authorization issue in Zalouser allowlist mode, where mutable group display names were used instead of stable group identifiers. The flaw could let attackers create similarly named groups and bypass channel authorization controls.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
OpenClaw Flaws Let Authenticated Users Escalate Privileges and Bypass Authorization
Two high-severity vulnerabilities in OpenClaw exposed paths for authenticated users to gain access beyond their intended roles. **CVE-2026-32042** affects versions before `2026.2.25` and allows an attacker with valid shared gateway authentication to present a self-signed, unpaired device identity and bypass pairing requirements, then self-assign elevated operator scopes including `operator.admin`. The issue is classified as `CWE-863` and effectively turns a trusted but unapproved device identity into a route for privilege escalation. A second flaw, **CVE-2026-32051**, affects OpenClaw versions before `2026.3.1` and allows users with `operator.write` scope to reach owner-only tool surfaces such as gateway and cron through agent runs in scoped-token deployments. The authorization mismatch lets lower-privileged authenticated users perform control-plane actions that should be restricted to owners, creating high risk to confidentiality, integrity, and availability. Advisories for both issues point to fixes and security guidance through GitHub and VulnCheck.
1 weeks ago
Multiple OpenClaw Flaws Enable Code Execution and Consent Bypass
OpenClaw disclosed several high-severity vulnerabilities that can lead to arbitrary code execution and security control bypass across recent releases. **CVE-2026-35641** affects versions before `2026.3.24` and lets a malicious local plugin or hook package use a crafted `.npmrc` file to override the `git` executable during `npm install`, resulting in arbitrary program execution. **CVE-2026-41349** affects versions before `2026.3.28` and allows low-privileged remote attackers to bypass execution approval through `config.patch`, silently disabling agentic consent protections. Belgium's Centre for Cybersecurity warned that multiple OpenClaw flaws can lead to RCE and urged immediate patching. Additional OpenClaw issues published shortly after expand the attack surface. **CVE-2026-41336** affects versions before `2026.3.31` and allows workspace `.env` files to override `OPENCLAW_BUNDLED_HOOKS_DIR`, causing trusted bundled hooks to be replaced with attacker-controlled code from untrusted workspaces. **CVE-2026-41352**, also fixed in `2026.3.31`, allows a device-paired node to bypass the node scope gate and execute arbitrary node commands on the host without proper pairing validation. Separately, the Node.js package **simple-git** disclosed **CVE-2026-6951**, an RCE flaw in versions before `3.36.0` caused by incomplete blocking of Git configuration options, allowing attackers to abuse `--config`, enable `protocol.ext.allow=always`, and trigger execution through an `ext::` clone source when untrusted input reaches the library's options.
1 weeks ago
Multiple Vulnerabilities Disclosed in OpenClaw
dCERT published advisories **2026-0836** and **2026-0866** covering **multiple vulnerabilities in OpenClaw**, indicating that the product is affected by more than one security flaw and that the issue set warranted repeated or updated notification. The advisories identify OpenClaw as the impacted technology but do not provide a public synopsis in the referenced notices. Organizations using **OpenClaw** should review both dCERT advisories to determine affected versions, vulnerability details, and available mitigations or patches. The paired notices suggest ongoing vulnerability handling around the product, making prompt validation of exposure, patch status, and any vendor remediation guidance a priority.
5 days ago