GHSA-wpph-cjgr-7c39: OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass

March 3, 2026

channels.*.groups.*.toolsBySender could match a privileged sender policy using a colliding mutable identity value (for example senderName or senderUsername) when deployments used untyped keys.

The fix introduces explicit typed sender keys (id:, e164:, username:, name:), keeps legacy untyped keys on a deprecated ID-only path, and adds regression coverage to prevent cross-identifier collisions.

References

github.com/advisories/GHSA-wpph-cjgr-7c39
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57
github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39

Code Behaviors & Features

Detect and mitigate GHSA-wpph-cjgr-7c39 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →