GHSA-534w-2vm4-89xr: OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch

March 3, 2026

A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic.

References

github.com/advisories/GHSA-534w-2vm4-89xr
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/b4010a0b627025c809c0e5dbdbd4770f3bc59ef8
github.com/openclaw/openclaw/security/advisories/GHSA-534w-2vm4-89xr

Code Behaviors & Features

Detect and mitigate GHSA-534w-2vm4-89xr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →