Description
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls.
Published: 2026-03-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of group access controls
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in how OpenClaw handles DM pairing-store identities. In versions older than 2026.2.26 the system incorrectly grants group allowlist permissions to identities that were authorized through DM pairing. An attacker who can leverage a DM pairing identity—either by creating one or reusing an existing one—can cause the application to treat that identity as if it were explicitly listed in a group's allowlist. The result is that the attacker can send messages to or read messages from a group for which they normally lack permission, leading to disclosure of private conversations or potential injection of malicious content. The weakness corresponds to an authorization control failure.

Affected Systems

OpenClaw is the affected software. All releases prior to 2026.2.26, which includes every version from the first public release up through 2026.2.25, are vulnerable. The advisory specifies that the issue was fixed in the 2026.2.26 release, so any instance running a version earlier than that should be considered at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact with medium exploitability. The EPSS metric shows a probability of less than 1 %, suggesting that automated exploitation is uncommon at present. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of active exploitation in the wild yet. Based on the description, the likely attack vector is a remote or local exploit that requires the attacker to gain control of a DM pairing identity, which could be achieved through social engineering or by compromising a legitimate user's credentials. Once the attacker has an accepted DM pairing identity, they can bypass the group allowlist and read or post in the restricted group.

Generated by OpenCVE AI on March 26, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 2026.2.26 update or a later release to remove the vulnerability.
  • Verify that the running OpenClaw version matches the patched release.
  • If immediate update is not possible, suspend or disable DM pairing functionality until the patch is applied.
  • Monitor system logs for anomalous DM pairing activity or unauthorized group message access.
  • Review and tighten group allowlist configurations to exempt DM pairing identities or add additional checks.

Generated by OpenCVE AI on March 26, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jv6r-27ww-4gw4 OpenClaw DM pairing-store identities could satisfy group allowlist authorization
History

Thu, 26 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Mon, 23 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls.
Title OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-22
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T16:19:42.882Z

Reserved: 2026-03-10T19:48:40.709Z

Link: CVE-2026-32027

cve-icon Vulnrichment

Updated: 2026-03-20T17:01:57.463Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T22:16:37.713

Modified: 2026-03-26T17:16:35.110

Link: CVE-2026-32027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:36Z

Weaknesses