Listen to this Post
OpenClaw’s Zalouser component handles group-based authorization for message routing. The vulnerability, tracked as GHSA-f5mf-3r52-r83w, resides in how the allowlist mode matches groups . Instead of requiring stable, immutable group IDs, the system accepted mutable group display names and their normalized slugs. This creates a logical flaw where the authorization check compares the human-readable name of a group rather than its unique identifier. For an attack to be viable, a deployment must use name-based entries in `channels.zalouser.groups` alongside a permissive sender allowlist . In such a configuration, an attacker could create or rename a group to exactly match the display name of an allowlisted group. When a message is sent from this malicious group, Zalouser’s flawed logic would see the matching name, deem it authorized, and route the message to the agent. This effectively bypasses the intended channel authorization, allowing a message from an unauthorized group to be processed as if it were from a trusted source, simply by reusing a trusted group’s display name . The fix involves modifying the authorization logic to match stable, immutable group identifiers instead of mutable names .
DailyCVE Form:
Platform: OpenClaw Zalouser
Version: <= 2026.3.11
Vulnerability: Authorization Bypass
Severity: Moderate
Date: March 13, 2026
Prediction: Patch already exists
What Undercode Say:
Analytics:
This vulnerability highlights a common security anti-pattern: relying on user-controlled or mutable attributes (like a display name) for authorization decisions. The issue was addressed in OpenClaw version 2026.3.12 . The fix’s implementation suggests a shift from matching on normalized slugs derived from group names to using a persistent, internal UUID or similar stable identifier.
Exploit:
Scenario: Attacker controls a group and wants to impersonate 'trusted-group' 1. Identify the name of an allowlisted group from the target OpenClaw deployment. Assume the target's allowlist uses the name: "Engineering-Team" 2. Using the collaboration platform's API or interface, the attacker renames their own malicious group to exactly match the target name. Example using a hypothetical CLI tool: collab-cli group update --id malicious-group-456 --name "Engineering-Team" 3. The attacker sends a message from their group, which now has the display name "Engineering-Team". collab-cli message send --group "Engineering-Team" --text "Critical update: Please click here" 4. OpenClaw's vulnerable Zalouser component receives the message. It checks the allowlist configured in channels.zalouser.groups. - The configuration might look like: channels.zalouser.groups: ["Engineering-Team"] - Zalouser extracts the sender's group display name: "Engineering-Team". - It performs a string match: is "Engineering-Team" in the list ["Engineering-Team"]? Yes. 5. The message is authorized and routed to the agent, bypassing the intended group ID check.
Protection from this CVE:
- Immediate Patching: Upgrade OpenClaw to version `2026.3.12` or later . This is the primary and most effective mitigation.
- Configuration Review: Immediately review all `channels.zalouser.groups` configurations. If they currently use human-readable names, plan to replace them with stable group IDs after upgrading.
- Principle of Least Privilege: Ensure that sender allowlists are as restrictive as possible. Avoid using permissive wildcards or broad patterns.
- Infrastructure as Code: Manage group and channel configurations through code. This allows for easier auditing of which identifiers (names vs. IDs) are being used for authorization.
- Monitor Logs: After applying the patch, monitor authorization logs for any failed attempts that might indicate reconnaissance or exploitation attempts.
Impact:
The impact is a weakening of channel authorization. An attacker who can control a group’s display name can successfully send messages to agents that were intended only for messages from specific, trusted groups . This can lead to the delivery of phishing messages, misinformation, or malicious commands from an untrusted source, bypassing a critical security control within the OpenClaw/Zalouser ecosystem.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

