Description
OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.
Published: 2026-03-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized status event injection
Action: Patch Immediately
AI Analysis

Impact

An access control flaw in the signal reaction notification handling permits a sender lacking proper authorization to enqueue status events before enforcement checks are applied. This oversight allows an attacker to inject reaction status lines into the system, potentially corrupting data integrity or displaying false updates to users. The weakness corresponds to an authorization bypass weakness.

Affected Systems

All OpenClaw releases older than version 2026.2.25 are affected, including deployments that use the event-handler logic for reaction-only events. The vulnerability applies to the OpenClaw application running on Node.js environments as described by the affected CPE.

Risk and Exploitability

The issue carries a severity rating of 6.3 and no publicly available exploitation probability is reported. It is not part of the known-exploited vulnerability catalog. The likely attack path involves a remote request to the reaction event endpoint, where the bypass can be exercised without additional privileges. No active exploitation evidence has been documented, but the potential to inject unauthorized status sequences presents a moderate risk to data integrity and system behavior.

Generated by OpenCVE AI on March 21, 2026 at 08:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.25 or later

Generated by OpenCVE AI on March 21, 2026 at 08:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-792q-qw95-f446 OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.
Title OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T18:53:38.964Z

Reserved: 2026-03-10T19:48:47.515Z

Link: CVE-2026-32050

cve-icon Vulnrichment

Updated: 2026-03-23T18:53:17.263Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T01:17:07.897

Modified: 2026-03-23T17:08:52.857

Link: CVE-2026-32050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:24Z

Weaknesses