SB2026052916 - Multiple vulnerabilities in OpenClaw

Description

This security bulletin contains information about 2 vulnerabilities.

1) Authentication Bypass by Spoofing (CVE-ID: N/A)

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to gain access to an agent intended for another Slack identity.

The vulnerability exists due to authentication bypass by spoofing in the Slack allowFrom feature when matching policy entries against mutable display name metadata. A remote user can change Slack display name metadata to gain access to an agent intended for another Slack identity.

Only configurations with the affected feature enabled and reachable are vulnerable.

2) Authentication Bypass by Spoofing (CVE-ID: N/A)

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authentication bypass by spoofing in the Zalo allowFrom feature when matching policy entries against mutable display metadata. A remote user can use mutable display metadata to match another Zalo identity's policy entry to disclose sensitive information.

Only configurations with the affected feature enabled and reachable are vulnerable.

Remediation

Install update from vendor's website.

References

• https://github.com/openclaw/openclaw/security/advisories/GHSA-c29c-2q9c-pc86
• https://github.com/openclaw/openclaw/security/advisories/GHSA-8c59-hr4w-qg69