GHSA-f5mf-3r52-r83w: OpenClaw's Zalouser allowlist authorization matched mutable group names by default

March 13, 2026

OpenClaw’s Zalouser allowlist mode accepted mutable group names and normalized slugs as authorization matches instead of requiring stable group IDs. In deployments that used name-based channels.zalouser.groups entries together with permissive sender allowlists, a different group could be accepted by reusing the same display name as an allowlisted group.

References

github.com/advisories/GHSA-f5mf-3r52-r83w
github.com/openclaw/openclaw
github.com/openclaw/openclaw/releases/tag/v2026.3.12
github.com/openclaw/openclaw/security/advisories/GHSA-f5mf-3r52-r83w

Code Behaviors & Features

Detect and mitigate GHSA-f5mf-3r52-r83w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →