3 matches found
CVE-2026-32006
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities...
CVE-2026-26328
OpenClaw is affected by CVE-2026-26328: prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities from the DM pairing store, broadening DM trust into group contexts. This is documented across multiple sources, including Red Hat a...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via monitor-provider.ts. An attacker can gain unauthorized group access by leveraging DM pairing-store identities to satisfy group allowlist authorization, even if...