CVE-2026-31998
Authorization Bypass in OpenClaw Synology-Chat Plugin Allows Unauthorized Actions
Publication date: 2026-03-19
Last updated on: 2026-03-25
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | From 2026.2.22 (inc) to 2026.2.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31998 is an authorization bypass vulnerability in OpenClaw versions 2026.2.22 and 2026.2.23, specifically affecting the Synology Chat channel plugin. When the direct message policy (dmPolicy) is set to "allowlist" but the allowedUserIds list is empty, the system incorrectly fails open, allowing unauthorized users to send messages.'}, {'type': 'paragraph', 'content': 'This means that attackers who have Synology sender access can bypass authorization checks and trigger unauthorized agent dispatches and downstream tool actions, despite not being explicitly allowed.'}, {'type': 'paragraph', 'content': 'The root cause is that an empty allowlist was treated as allowing all users, instead of blocking all users, which is a failure of proper access control.'}] [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can allow attackers with Synology sender access to bypass authorization controls and perform unauthorized actions within the OpenClaw system.
- Attackers can dispatch agents without permission.
- They can trigger downstream tool actions that should be restricted.
Such unauthorized actions could lead to misuse of system resources, potential data exposure, or disruption of normal operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking the configuration of the synology-chat channel plugin in OpenClaw, specifically the dmPolicy setting and the allowedUserIds list.'}, {'type': 'list_item', 'content': 'Verify if dmPolicy is set to "allowlist".'}, {'type': 'list_item', 'content': 'Check if the allowedUserIds list is empty or unset.'}, {'type': 'paragraph', 'content': 'If dmPolicy is "allowlist" and allowedUserIds is empty, the system is vulnerable because it fails open, allowing unauthorized access.'}, {'type': 'paragraph', 'content': 'Since the vulnerability relates to configuration, you can detect it by inspecting the plugin configuration files or querying the plugin settings.'}, {'type': 'paragraph', 'content': 'No specific network or system commands are provided in the resources, but a practical approach would be to use commands or scripts to extract and verify the dmPolicy and allowedUserIds values from the OpenClaw configuration or plugin settings.'}] [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation steps are to update OpenClaw to version 2026.2.24 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If updating is not immediately possible, ensure that the dmPolicy is not set to "allowlist" with an empty allowedUserIds list.'}, {'type': 'list_item', 'content': 'Configure allowedUserIds with explicit user IDs to avoid an empty allowlist.'}, {'type': 'list_item', 'content': 'Alternatively, change dmPolicy to "open" to allow all users if that fits your security requirements.'}, {'type': 'paragraph', 'content': 'These steps prevent unauthorized users from bypassing authorization checks and triggering unauthorized actions.'}] [1, 2, 3, 4]