{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/synology-chat/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw","Synology Chat"],"_cs_severities":["high"],"_cs_tags":["synology-chat","openclaw","vulnerability"],"_cs_type":"advisory","_cs_vendors":["OpenClaw","Synology"],"content_html":"\u003cp\u003eOpenClaw is an open-source project that integrates with Synology Chat. A vulnerability was discovered where reply delivery could be misdirected. Specifically, versions of the \u003ccode\u003eopenclaw\u003c/code\u003e npm package prior to 2026.3.22 are affected. This vulnerability allows for the potential rebinding of Synology Chat reply delivery from the intended user_id to a different user based on mutable username matches. This could lead to an attacker receiving sensitive information intended for another user, or potentially escalating privileges if the attacker can impersonate an administrator or other privileged user. The vulnerability was patched in version 2026.3.22, which keeps replies bound to the stable webhook user identifier unless an explicit dangerous opt-in is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target user within the Synology Chat environment.\u003c/li\u003e\n\u003cli\u003eAttacker creates a new Synology Chat user account with a username that closely resembles the target user's username or matches it if the target user has changed their username previously.\u003c/li\u003e\n\u003cli\u003eThe target user triggers a webhook event that generates a message in Synology Chat.\u003c/li\u003e\n\u003cli\u003eThe attacker's crafted account with a similar username causes OpenClaw to incorrectly resolve the reply delivery to the attacker's account due to the vulnerable username-based resolution logic in versions prior to 2026.3.22.\u003c/li\u003e\n\u003cli\u003eAny replies intended for the original user_id are now routed to the attacker's account.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts and views potentially sensitive information contained within the misdirected replies.\u003c/li\u003e\n\u003cli\u003eIf the target user has elevated privileges, the attacker could potentially gain access to sensitive system configurations or other restricted resources by intercepting administrative communications.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to information disclosure, where an attacker gains access to private conversations and data intended for other users. In scenarios involving privileged users, the impact could escalate to privilege escalation, potentially compromising the entire Synology Chat environment. The number of affected users and organizations depends on the adoption rate of OpenClaw with Synology Chat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.22 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eAudit the \u003ccode\u003eextensions/synology-chat/src/config-schema.ts\u003c/code\u003e configuration to ensure the dangerous opt-in seam for username rebinding is disabled.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to monitor for potential exploitation attempts involving Synology Chat username manipulation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-openclaw-synology-chat-vuln/","summary":"A vulnerability exists in OpenClaw versions prior to 2026.3.22 where Synology Chat reply delivery can be rebound to a mutable username match instead of the stable numeric user_id, potentially leading to information disclosure or privilege escalation.","title":"OpenClaw Synology Chat Reply Delivery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-openclaw-synology-chat-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed - Synology-Chat","version":"https://jsonfeed.org/version/1.1"}