LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-33578

CVE-2026-33578 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 31, 2026

OpenClaw - Authentication Bypass

Published: March 31, 2026Updated: March 31, 2026Remote Exploitable

Overview

OpenClaw before 2026.3.28 contains a sender policy bypass caused by route-level group allowlist policies silently downgrading to open policy in Google Chat and Zalouser extensions, letting attackers bypass sender restrictions and interact with bots despite allowlist, exploit requires no special conditions.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass sender restrictions and interact with bots despite allowlist policies, potentially leading to unauthorized bot interactions.

Mitigation

Update to version 2026.3.28 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 31, 2026

šŸ”“ CVE-2026-33578 - Critical (9.8) OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to b... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33578/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 31, 2026

šŸ”“ CVE-2026-33578 - Critical (9.8) OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to b... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33578/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 31, 2026

šŸ”“ CVE-2026-33578 - Critical (9.8) OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to b... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33578/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 31, 2026

šŸ”“ CVE-2026-33578 - Critical (9.8) OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to b... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-33578/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-33578
Severity
Critical
CVSS Score
9.8
Type
broken_access_control
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days