PT-2026-25428 — Improper Access Control in Npm Openclaw

PT-2026-25428 · Npm · Openclaw

Published

2026-03-03

Updated

2026-03-03

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic.

Impact

When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended group allowlist could still trigger agent processing through the GROUP message path.

Root Cause

Group access checks were not consistently enforced before dispatch for Zalo GROUP messages. The fix adds explicit runtime group-policy evaluation (groupPolicy, groupAllowFrom, fallback to allowFrom) and fail-closed behavior for missing provider config.

Affected Packages / Versions

Package: openclaw (npm)
Latest published vulnerable version: 2026.2.23 (as of 2026-02-24)
Affected range: <= 2026.2.23
Planned patched version: 2026.2.24

Fix Commit(s)

b4010a0b627025c809c0e5dbdbd4770f3bc59ef8

OpenClaw thanks @tdjackey for reporting.

Publication Update (2026-02-25)

openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.

Fix

Improper Access Control

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-863

Related Identifiers

GHSA-534W-2VM4-89XR

Affected Products

Openclaw