Medium severity4.3NVD Advisory· Published Mar 31, 2026· Updated Apr 1, 2026
CVE-2026-33578
CVE-2026-33578
Description
OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.28 | 2026.3.28 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4nvdPatchWEB
- github.com/advisories/GHSA-63mg-xp9j-jfcmghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcmnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-33578ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensionsnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.