Description
OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages from unintended groups to the agent.
Published: 2026-03-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized channel access
Action: Patch immediately
AI Analysis

Impact

The vulnerability occurs in OpenClaw versions prior to 2026.3.12 when operating in Zalouser allowlist mode. The system incorrectly relies on mutable group display names rather than permanent identifiers to enforce access permissions. An attacker who can create a group with a display name identical to an allowlisted group can trick the system into treating the new group as authorized, permitting the delivery of messages through channels that should be protected and bypassing channel authorization.

Affected Systems

Affected systems are installations of the OpenClaw server software with a version earlier than 2026.3.12. This includes all deployments of the open source OpenClaw product; no other vendor or product is mentioned.

Risk and Exploitability

The CVSS score for this issue is 6.9, indicating medium severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to create or modify group entities in the application, which can typically be performed via the exposed APIs or administrative interface. It is inferred that an attacker would need remote network access to the OpenClaw instance with permission to create groups. Given the medium CVSS and the lack of evidence of active exploitation, the risk is significant but not imminently critical.

Generated by OpenCVE AI on March 29, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.12 or later.

Generated by OpenCVE AI on March 29, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages from unintended groups to the agent.
Title OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-807
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T11:39:33.426Z

Reserved: 2026-03-17T11:31:33.584Z

Link: CVE-2026-32975

cve-icon Vulnrichment

Updated: 2026-03-30T11:39:24.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T13:17:01.763

Modified: 2026-03-30T17:13:46.863

Link: CVE-2026-32975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:58:18Z

Weaknesses