This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: OpenClaw's Zalouser allowlist uses **mutable group display names** instead of stable IDs.β¦
π‘οΈ **CWE**: CWE-807 (Security Misinterpretation). <br>π **Flaw**: The system matches against **variable display names** rather than immutable identifiers, leading to weak authorization logic.
π΅οΈ **Privileges**: Full bypass of channel/group authorization. <br>π **Data**: Potential access to private chats, files, and restricted content within the impersonated group context.
𧨠**Exploit**: **No public PoC** listed in data. <br>π **Wild Exploit**: Unconfirmed, but logic is simple (name spoofing), making theoretical exploitation high.
Q7How to self-check? (Features/Scanning)
π **Check**: Verify if your OpenClaw version is **< 2026.3.12**. <br>π **Scan**: Look for Zalouser allowlist configurations relying on **display names** instead of unique IDs.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: Yes. <br>π§ **Patch**: Upgrade to **OpenClaw 2026.3.12** or later. <br>π **Ref**: GitHub Advisory GHSA-f5mf-3r52-r83w.
Q9What if no patch? (Workaround)
π§ **Workaround**: If unpatched, **disable Zalouser allowlist** or enforce **immutable group IDs** in configuration. Restrict group creation permissions.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. <br>π **Priority**: **Immediate Action**. CVSS Score is **High** (likely 9.8). Remote, unauthenticated, full impact. Patch NOW.