Medium severity6.5NVD Advisory· Published Mar 31, 2026· Updated Apr 1, 2026
CVE-2026-33576
CVE-2026-33576
Description
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.28 | 2026.3.28 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312anvdPatchWEB
- github.com/advisories/GHSA-v2v2-f783-358jghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358jnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-33576ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channelnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.