142 matches found
EUVD-2026-9892
OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open must be configured. Attackers can execute privileged slash commands via direct message to bypass...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.2 contained security vulnerabilities. These vulnerabilities stemmed from the ability to bypass the DM permission list matching in the Matrix plugin, allowing remote Matrix users to impersonate...
Incorrect Authorization
Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveragi...
Incorrect Authorization
Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging...
Incorrect Authorization
Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing b...
Incorrect Authorization
Overview @openclaw/zalouser is an OpenClaw Zalo Personal Account plugin via native zca-js integration Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another...
Incorrect Authorization
Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging...
GHSA-354R-7MFH-7RH2 OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...
OpenClaw DM pairing-store identities could satisfy group allowlist authorization
Summary DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths. Details In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via D...
BIT-DISCOURSE-2026-27152 DIscourse has DM communication-preference bypass when adding members
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...
PT-2026-26408
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.26 Description OpenClaw is affected by an authorization bypass issue where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. This cross-context authorization flaw...
GHSA-WM8R-W8PF-2V6W OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage
Summary In OpenClaw 2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation. Impact This is an authorization-boundary weakness between DM...
OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage
Summary In OpenClaw 2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation. Impact This is an authorization-boundary weakness between DM...
OpenClaw has an unspecified vulnerability (CNVD-2026-13383)
OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw has a security vulnerability that stems from the fact that under iMessage groupPolicy=allowlist, the identity of the sender from the DM pairing store can satisfy the group authorization, which can be exploited by an...
CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...
CVE-2026-27152 DIscourse has DM communication-preference bypass when adding members
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, DM communication-preference bypass when adding members via Chat::AddUsersToChannel — a user could add targets who have blocked/ignored/muted them to an existing DM channel, bypassing per-recipien...
CVE-2026-26328
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue...
CVE-2026-26328
OpenClaw is affected by CVE-2026-26328: prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities from the DM pairing store, broadening DM trust into group contexts. This is documented across multiple sources, including Red Hat a...