wid-sec-w-2026-0930 · Published 2026-03-30 · View on BSI CERT-Bund ↗

OpenClaw: Multiple Vulnerabilities

CVSS 9.4 CRITICAL

Risk Summary

OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.

CVEs (8)

CVE-2026-33576 CVE-2026-33577 CVE-2026-33578 CVE-2026-33579 CVE-2026-33580 CVE-2026-33581 CVE-2026-34503 CVE-2026-34504

Affected Vendors

Open Source

Affected Products (2)

Open Source · OpenClaw <2026.3.28

Open Source · OpenClaw 2026.3.28

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more