Claude CodeOpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.
How AI Introduced This
Yes. The Claude Opus 4.6 co-authored Synology Chat introduction commit `03586e3d0057b5975090d50dadcc5bc95b51f977` created the fail-open authorization behavior by making `checkUserAllowed(..., [])` return true, then wiring that result into the inbound webhook path that calls `deliver()` and can trigger downstream agent/tool actions. The same commit also made the unsafe state easy to hit by resolving accounts to `dmPolicy: "allowlist"` while empty `allowedUserIds` parse to `[]`.
▶Attribution Chain
▶Bug-Introducing Commits(1)
feat(channels): add Synology Chat native channel
Extracted from squash merge 03586e3
▶1 other sub-commit in this PR
feat(synology-chat): add pairing, warnings, messaging, agent hints
Deep Verification
by GPT-5.4Fix `0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5` directly removes `if (allowedUserIds.length === 0) return true;` from `extensions/synology-chat/src/security.ts` and changes the comment/test from "empty allowlist = allow all users" to reject-empty behavior. `git_log_search` for that exact removed line and for the original test text (`allows any user when allowlist is empty`) both point to `03586e3d0057b5975090d50dadcc5bc95b51f977`, and blame on the pre-fix lines also attributes them to that commit. This is the core fail-open authorization bug the CVE describes.
▶AI Signals(1)
| Claude Code | Co-author trailer | Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> | 95% |