GHSA-GW85-XP4Q-5GP9: Authorization Bypass in OpenClaw Synology Chat Extension

The vulnerability affects OpenClaw, a personal AI assistant platform, specifically within its Synology Chat integration extension. This component exposes a webhook endpoint designed to receive messages from Synology Chat and dispatch them to an AI agent for processing. The security model relies on a configuration parameter, dmPolicy, which dictates whether the bot should respond to all users (open) or a specific subset (allowlist).

The core issue lies in the implementation of the allowlist logic. In secure system design, an empty access control list (ACL) under a restrictive policy should typically result in a 'deny-all' state (fail-closed). However, the OpenClaw implementation contained a logic flaw where an empty allowlist resulted in an 'allow-all' state (fail-open). This behavior directly contradicts the administrator's intent to restrict access, effectively exposing the AI agent to unauthorized interaction from any user capable of reaching the webhook endpoint.

The root cause is a logic error in the authorization helper function checkUserAllowed located in extensions/synology-chat/src/security.ts. This function is responsible for validating whether an incoming user ID exists within the configured allowedUserIds array.

The vulnerability stems from an explicit short-circuit condition added to handle empty lists. The developer implemented a check if (allowedUserIds.length === 0) return true;, presumably to handle cases where the user intended an open policy or to avoid iteration overhead. However, this check was applied even when the explicit policy mode was set to strict allowlisting. Consequently, when an administrator configured the system to be secure (dmPolicy: "allowlist") but had not yet populated the user list, the check bypasses validation entirely, returning true for every request.

The vulnerability is clearly visible in the comparison between the flawed implementation and the patched version in extensions/synology-chat/src/security.ts.

Vulnerable Code (Before Patch): The function explicitly defaults to allowing access if the list is empty, undermining the allowlist policy.

export function checkUserAllowed(userId: string, allowedUserIds: string[]): boolean {
  // VULNERABILITY: Explicit fail-open logic
  if (allowedUserIds.length === 0) return true;
  return allowedUserIds.includes(userId);
}

Patched Code (After Fix): The fix removes the short-circuit and updates the logic to strict containment. Additionally, the webhook handler was updated to return a 403 Forbidden status if the configuration is invalid (allowlist mode with empty list).

export function checkUserAllowed(userId: string, allowedUserIds: string[]): boolean {
  // FIX: Remove fail-open check. Now relies strictly on inclusion.
  return allowedUserIds.includes(userId);
}

The patch ensures that if allowedUserIds is empty, includes(userId) will return false, enforcing a 'fail-closed' security posture.

Exploiting this vulnerability requires no special tools or authentication credentials, only network access to the OpenClaw webhook endpoint and the ability to send messages via Synology Chat.

Prerequisites:

1. The target OpenClaw instance must have the Synology Chat extension enabled.
2. The configuration must be set to dmPolicy: "allowlist".
3. The allowedUserIds array must be empty (e.g., during initial setup or misconfiguration).

Attack Steps: An attacker simply sends a standard message to the bot. The webhook handler receives the payload, extracts the sender's user ID, and passes it to checkUserAllowed. Due to the empty list, the function returns true. The application then proceeds to dispatch the AI agent. The agent processes the attacker's prompt as if it came from a trusted administrator, potentially executing configured tools (e.g., 'summarize this document', 'query the database', or 'restart service').

The impact of this vulnerability is critical because it bridges the gap between unauthenticated external users and internal AI capabilities. OpenClaw agents are often configured with 'tools'—functions that allow the AI to interact with filesystems, APIs, or system commands to perform tasks.

Consequences:

• Unauthorized Action Execution: An attacker can instruct the bot to perform actions it is capable of, such as modifying data or triggering external workflows.
• Data Leakage: If the agent has access to sensitive context or history, an attacker could prompt it to reveal that information.
• Resource Exhaustion: An attacker could spam the bot, triggering expensive LLM inference calls or saturating the backend.

Given the CVSS score of 9.8, this is a remote exploitation vector that results in a total loss of confidentiality and integrity regarding the agent's operations.