OpenClaw Sender Allowlist Bypass Vulnerability in Quoted and Thread Context Messages
Vulnerability
A sender allowlist bypass vulnerability has been identified in OpenClaw versions prior to 2026.3.31. This vulnerability allows remote attackers to access restricted messages by exploiting quoted, root, and thread context messages, thereby bypassing sender allowlist restrictions and retrieving unauthorized content.
Impact
Exploitation of this vulnerability allows for unauthorized access to restricted messages, bypassing sender allowlist controls.
Reproduction
To reproduce this vulnerability, send a message in a group chat using a sender ID that is not on the allowlist. The message can include quoted content or be part of a thread. The OpenClaw application will fetch the quoted or thread context messages, which will bypass the sender allowlist restrictions and allow access to the restricted content.
Remediation
Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.