CVE-2026-31998

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.22 through 2026.2.23

Description The openclaw software, specifically in versions 2026.2.22 and 2026.2.23, has an authorization bypass issue within the synology-chat channel plugin. When the dmPolicy is set to allowlist and allowedUserIds is empty, authorization checks are bypassed, allowing unauthorized agent dispatch and downstream tool actions. This requires Synology sender access. The root cause is a policy mismatch where an empty allowedUserIds is treated as allowing all access. The vulnerable component is the webhook authentication in allowlist mode, which depends on a helper function that incorrectly handles empty allowedUserIds. The affected API endpoint is not explicitly mentioned.

Recommendations Update to OpenClaw version 2026.2.24 or later.