OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of…
VulnCheck·CWE-807·Published 2026-03-26
OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.
OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.
## Summary Nextcloud Talk room authorization matched on collidable room names instead of the stable room token, allowing policy confusion across similarly named rooms. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: < 2026.3.22 - Fixed: >= 2026.3.22 - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2` ## Fix Commit(s) - `a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66` ## Release Status The fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`. ## Code-Level Confirmation - extensions/nextcloud-talk/src/inbound.ts now resolves allowlist policy from roomToken-backed room identity. - extensions/nextcloud-talk/src/policy.ts now keys room authorization on stable room tokens instead of display names. OpenClaw thanks @zpbrent for reporting.
## Summary Nextcloud Talk room authorization matched on collidable room names instead of the stable room token, allowing policy confusion across similarly named rooms. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: < 2026.3.22 - Fixed: >= 2026.3.22 - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2` ## Fix Commit(s) - `a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66` ## Release Status The fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`. ## Code-Level Confirmation - extensions/nextcloud-talk/src/inbound.ts now resolves allowlist policy from roomToken-backed room identity. - extensions/nextcloud-talk/src/policy.ts now keys room authorization on stable room tokens instead of display names. OpenClaw thanks @zpbrent for reporting.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | NVD | 5.4 | 2.8 | 2.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| 3.1 | Primary | cve.org | 4.2 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
| 3.1 | Secondary | GHSA | 4.2 | — | — | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
| 3.1 | Secondary | NVD | 4.2 | 1.6 | 2.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
| 4.0 | Primary | cve.org | 2.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| 4.0 | Secondary | GHSA | 2.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| 4.0 | Secondary | NVD | 2.3 | — | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |