Jisung

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.22 **Description** OpenClaw versions before 2026.2.22 contain an authorization bypass in the Feishu allowFrom allowlist implementation. The system accepts mutable sender display names instead of enforcing matching based on ID only. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access. The `channels.feishu.allowFrom` feature is documented as an ID-based allowlist, but it accepted mutable sender display names. This allowed an attacker to use a display name that matched an allowed ID, bypassing authorization. The fix enforces ID-only matching for Feishu allowlist checks, normalizes Feishu ID prefixes during comparison, and ignores mutable display names for authorization. Deployments using Feishu allowlist-based authorization could incorrectly authorize non-allowlisted senders when a colliding display name was used. **Recommendations** Update OpenClaw to version 2026.2.22 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.22 **Description** OpenClaw versions prior to 2026.2.22 contain an authorization bypass in the `toolsBySender` group policy matching. This allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as `senderName` or `senderUsername` to bypass sender-authorization policies and gain unauthorized access to privileged tools. The issue occurs when deployments use untyped keys, and the fix introduces explicit typed sender keys (`id:`, `e164:`, `username:`, `name:`), keeping legacy untyped keys on a deprecated ID-only path. The vulnerable component is `channels.*.groups.*.toolsBySender`. **Recommendations** Update OpenClaw to version 2026.2.22 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.23 **Description** OpenClaw contains a flaw in Twilio webhook event deduplication. Normalized event IDs are randomized during parsing, which allows replay events to bypass deduplication checks. This can lead to attackers replaying Twilio webhook events, triggering duplicate or stale call-state transitions, and potentially causing incorrect call handling and state corruption. **Recommendations** Update OpenClaw to version 2026.2.23 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.23 **Description** OpenClaw contains a flaw in allowlist mode where 'allow-always' grants can be bypassed through unrecognized multiplexer shell wrappers, such as `busybox sh -c` and `toybox sh -c` commands. This allows attackers to invoke arbitrary payloads under the same multiplexer wrapper, satisfying stored allowlist rules and circumventing intended execution restrictions. The issue arises because wrapper analysis incorrectly treated invocations of `busybox` and `toybox` as non-wrapper commands, persisting the wrapper binary path instead of the inner executable. This allowed subsequent arbitrary payloads to satisfy the stored allowlist rule. The fix improves wrapper detection and persistence behavior, ensuring approvals bind to the intended inner executables and fail closed when unwrap safety is uncertain. **Recommendations** Update OpenClaw to version 2026.2.23 or later.