Authorization bypass through user-controlled key in OpenClaw - #VU125178
Published: April 8, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to redirect reply delivery to a different user.
The vulnerability exists due to improper identity resolution in the Synology Chat webhook handler when resolving reply recipients from usernames. A remote user can change or control a username match to redirect reply delivery to a different user.
Replies may be rebound to a mutable username match instead of the stable numeric user_id recorded by the webhook event.