js · openclawCritical
OpenClaw Zalo allowFrom Binds to Mutable Display Names
Zalo allowFrom could bind to mutable display names, allowing a contact with mutable display metadata to match a policy entry through that metadata.
What changed
Zalo allowFrom could bind to mutable display names, allowing a contact with mutable display metadata to match a policy entry through that metadata.
Who it affects
Users of OpenClaw with the affected Zalo feature enabled and reachable, where lower-trust input can reach that path.
What to do today
Update to version 2026.5.3 or later, or apply mitigations: use stable Zalo identifiers, restrict friend access, narrow allowlists, avoid sharing Gateway between untrusted users, and disable the affected feature if not needed.
The trail
Collected→
Audited→
Written→
Published