CVE-2026-53837

OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted conte...

CVE-2026-53837 OpenClaw < 2026.5.6 - Missing Channel Type Validation in Mattermost Event Handlers

OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted conte...

CVE-2026-53837

CVE-2026-53837 affects OpenClaw prior to 2026.5.6, where an improper access control vulnerability in Mattermost event handlers fails to validate channel type metadata. Attackers can bypass DM policy decisions by sending crafted Mattermost events that omit channel type information, enabling proces...

EUVD-2026-29138

OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been...

CVE-2026-35647

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message...

CVE-2026-35647

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message...

EUVD-2026-21440

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message...

CVE-2026-35647

OpenClaw before 2026.3.25 contains an access control flaw: verification notices bypass DM policy checks and reply to unpaired peers due to insufficient access validation before transmission. This could allow sending verification notices to users outside allowed direct message policies. Root cause...

PT-2026-31959

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message...

GHSA-9WQX-G2CW-VC7R OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers

Summary Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Matrix verificatio...

CVE-2026-32067

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically...

CVE-2026-32028

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...

CVE-2026-32028

OpenClaw

OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...

GHSA-354R-7MFH-7RH2 OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...

PT-2026-23521

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The Slack slash-command handler incorrectly authorizes any direct message sender when the dmPolicy is set to open. This allows attackers to execute privileged slash commands via direct message,...