GHSA-GW85-XP4Q-5GP9
GHSA-GW85-XP4Q-5GP9: Authorization Bypass in OpenClaw Synology Chat Extension
Alon Barad
Software EngineerMar 4, 2026·4 min read·24 visits
Executive Summary (TL;DR)
OpenClaw's Synology Chat extension fails to enforce access controls when an allowlist is empty, effectively treating a restricted policy as an open one. This allows any user with access to the webhook to dispatch AI agents and execute commands.
A critical authorization bypass vulnerability exists in the Synology Chat extension of the OpenClaw AI assistant infrastructure. The vulnerability arises from a 'fail-open' logic error in the user allowlist enforcement mechanism. When the `dmPolicy` is configured to `allowlist` but the list of allowed user IDs is left empty, the system defaults to permitting all traffic rather than denying it. This flaw allows unauthenticated remote attackers to interact with the AI agent, potentially triggering sensitive tools or workflows intended only for authorized administrators.
Vulnerability Overview
The vulnerability affects OpenClaw, a personal AI assistant platform, specifically within its Synology Chat integration extension. This component exposes a webhook endpoint designed to receive messages from Synology Chat and dispatch them to an AI agent for processing. The security model relies on a configuration parameter, dmPolicy, which dictates whether the bot should respond to all users (open) or a specific subset (allowlist).
The core issue lies in the implementation of the allowlist logic. In secure system design, an empty access control list (ACL) under a restrictive policy should typically result in a 'deny-all' state (fail-closed). However, the OpenClaw implementation contained a logic flaw where an empty allowlist resulted in an 'allow-all' state (fail-open). This behavior directly contradicts the administrator's intent to restrict access, effectively exposing the AI agent to unauthorized interaction from any user capable of reaching the webhook endpoint.
Root Cause Analysis
The root cause is a logic error in the authorization helper function checkUserAllowed located in extensions/synology-chat/src/security.ts. This function is responsible for validating whether an incoming user ID exists within the configured allowedUserIds array.
The vulnerability stems from an explicit short-circuit condition added to handle empty lists. The developer implemented a check if (allowedUserIds.length === 0) return true;, presumably to handle cases where the user intended an open policy or to avoid iteration overhead. However, this check was applied even when the explicit policy mode was set to strict allowlisting. Consequently, when an administrator configured the system to be secure (dmPolicy: "allowlist") but had not yet populated the user list, the check bypasses validation entirely, returning true for every request.
Code Analysis
The vulnerability is clearly visible in the comparison between the flawed implementation and the patched version in extensions/synology-chat/src/security.ts.
Vulnerable Code (Before Patch): The function explicitly defaults to allowing access if the list is empty, undermining the allowlist policy.
export function checkUserAllowed(userId: string, allowedUserIds: string[]): boolean {
// VULNERABILITY: Explicit fail-open logic
if (allowedUserIds.length === 0) return true;
return allowedUserIds.includes(userId);
}Patched Code (After Fix): The fix removes the short-circuit and updates the logic to strict containment. Additionally, the webhook handler was updated to return a 403 Forbidden status if the configuration is invalid (allowlist mode with empty list).
export function checkUserAllowed(userId: string, allowedUserIds: string[]): boolean {
// FIX: Remove fail-open check. Now relies strictly on inclusion.
return allowedUserIds.includes(userId);
}The patch ensures that if allowedUserIds is empty, includes(userId) will return false, enforcing a 'fail-closed' security posture.
Exploitation Methodology
Exploiting this vulnerability requires no special tools or authentication credentials, only network access to the OpenClaw webhook endpoint and the ability to send messages via Synology Chat.
Prerequisites:
- The target OpenClaw instance must have the Synology Chat extension enabled.
- The configuration must be set to
dmPolicy: "allowlist". - The
allowedUserIdsarray must be empty (e.g., during initial setup or misconfiguration).
Attack Steps:
An attacker simply sends a standard message to the bot. The webhook handler receives the payload, extracts the sender's user ID, and passes it to checkUserAllowed. Due to the empty list, the function returns true. The application then proceeds to dispatch the AI agent. The agent processes the attacker's prompt as if it came from a trusted administrator, potentially executing configured tools (e.g., 'summarize this document', 'query the database', or 'restart service').
Impact Assessment
The impact of this vulnerability is critical because it bridges the gap between unauthenticated external users and internal AI capabilities. OpenClaw agents are often configured with 'tools'—functions that allow the AI to interact with filesystems, APIs, or system commands to perform tasks.
Consequences:
- Unauthorized Action Execution: An attacker can instruct the bot to perform actions it is capable of, such as modifying data or triggering external workflows.
- Data Leakage: If the agent has access to sensitive context or history, an attacker could prompt it to reveal that information.
- Resource Exhaustion: An attacker could spam the bot, triggering expensive LLM inference calls or saturating the backend.
Given the CVSS score of 9.8, this is a remote exploitation vector that results in a total loss of confidentiality and integrity regarding the agent's operations.
Fix Analysis (2)
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
OpenClaw (Synology Chat Extension)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenClaw OpenClaw | < 2026-02-24 (commit 0ee3036) | commit 0ee3036 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-863 |
| Vulnerability Type | Incorrect Authorization |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
MITRE ATT&CK Mapping
CWE-863
Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it fails to correctly perform the check. This allows attackers to bypass intended access restrictions.
Vulnerability Timeline
Fix committed to main repository
2026-02-24
Documentation updated with changelog
2026-02-24
GitHub Advisory Published
2026-02-24
