CVE-2026-33576 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 31, 2026
OpenClaw - Broken Access Control
Overview
OpenClaw before 2026.3.28 contains an unauthorized media download and storage vulnerability caused by lack of sender authorization validation in Zalo channel media handling, letting unauthorized senders force network fetches and disk writes, exploit requires sending messages to the target.
Severity & Score
Impact
Unauthorized senders can cause unwanted network fetches and write files to disk, potentially leading to resource exhaustion or data tampering.
Mitigation
Update to version 2026.3.28 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-33576 - Critical (9.8) OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rej... š https://www.thehackerwire.com/vulnerability/CVE-2026-33576/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-33576 - Critical (9.8) OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rej... š https://www.thehackerwire.com/vulnerability/CVE-2026-33576/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33576
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_access_control
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-863
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H