OpenClaw < 2026.2.25 - Authorization Bypass in Interactive Callbacks via Sender Check Skip

OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including block_action, view_submission, and view_closed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue system-event text into active sessions.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

授权机制不正确

OpenClaw 安全漏洞

OpenClaw是OpenClaw开源的一个智能人工助理。 OpenClaw 2026.2.25之前版本存在安全漏洞，该漏洞源于未能对共享工作区部署中的交互式回调强制执行发送者授权检查，可能导致未经授权的工作区成员绕过allowFrom限制和通道用户允许列表。

N/A

N/A