Description
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks.
Published: 2026-03-19
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch Now
AI Analysis

Impact

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability. The flaw arises when DM pairing-store identities are incorrectly treated as group allowlist identities while the configuration dmPolicy=pairing and groupPolicy=allowlist are active. A remote attacker can send messages and reactions using those DM‑paired identities even if the target user is not a member of the group’s allowlist, effectively bypassing group sender authorization checks and impersonating other users in group chats. This weakness is categorized as CWE-863, which describes improper validation of authorization attributes.

Affected Systems

The vulnerability affects all deployments of the OpenClaw product that are running a version earlier than 2026.2.26. No further sub‑version details are provided beyond the "< 2026.2.26" threshold. The affected vendor is OpenClaw.

Risk and Exploitability

The CVSS v3.10 score is 2.3, indicating low severity. EPSS data is not reported, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is explicitly remote, as the description states that attackers can send messages to DM‑paired identities. While the impact is mainly the ability to impersonate users within group chats, and does not affect confidentiality or integrity of stored data, the potential for social engineering checks means it should still be addressed in a timely manner.

Generated by OpenCVE AI on March 19, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the OpenClaw vendor website or security advisories for an available patch or update. Install any released patch that addresses the described authorization bypass. If no patch is available, monitor official channels for an update and consider limiting or disabling DM‑paired message handling until remediation is applied.

Generated by OpenCVE AI on March 19, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-25pw-4h6w-qwvm OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks.
Title OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Fallback in Group Allowlist
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T18:10:14.403Z

Reserved: 2026-03-10T19:48:13.664Z

Link: CVE-2026-32006

cve-icon Vulnrichment

Updated: 2026-03-20T18:02:18.602Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:33.157

Modified: 2026-03-24T21:22:22.613

Link: CVE-2026-32006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:05:37Z

Weaknesses