CVE
CVE-2026-33576
OpenClaw: Zalo channel downloads media before sender authorization
Summary
The Zalo image path fetched and stored inbound media before the DM/pairing authorization checks ran.
Impact
Unauthorized senders could force network fetches and disk writes in the inbound media store even when the message itself was rejected.
Affected Component
extensions/zalo/src/monitor.ts
Fixed Versions
- Affected:
<= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit 68ceaf7a5f (zalo: gate image downloads before DM auth).
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.9
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
-
Related Resources
No items found.
References
https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j, https://nvd.nist.gov/vuln/detail/CVE-2026-33576, https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a, https://github.com/openclaw/openclaw, https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel
Basic Information
Ecosystem
