OpenClaw’s group authorization system allowed group messages to be trusted based on identities stored in the DM pairing store when the group policy was set to allowlist. This flaw let an attacker who could supply a DM pairing store identity bypass all other group membership checks, thereby gaining membership and access to group messages that the user had not explicitly approved. The weakness arises from insufficient authorization checks, classified as CWE‑284 and CWE‑863. With this capability, an attacker can read, post, or forward messages within the group, compromising confidentiality, integrity, and potentially availability of the group communication.

The vulnerability affects OpenClaw’s openclaw and clawdbot components on all versions released before 2026.2.14. The fix was deployed in release v2026.2.14; later releases contain the corrected group authorization logic.

The CVSS score of 6.5 indicates moderate severity. EPSS is below 1 %, suggesting a low probability of exploitation in the wild, and the issue is not present in CISA’s KEV catalog. It is inferred that exploitation would require the ability to insert or impersonate a DM pairing store identity, which might imply a privileged or compromised local user, limiting the attack surface. Nonetheless, any system where iMessage group communications are used for sensitive exchanges should treat this as a potential attack vector and apply the patch promptly.