Lucene search
K

6 matches found

Github Security Blog
Github Security Blog
added 2026/04/17 10:32 p.m.9 views

OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries

Summary Matrix room control-command authorization used the effective allowlist for room traffic, which included sender IDs learned from the Matrix DM pairing store. A sender who was allowed only for a Matrix DM could therefore authorize room control commands when they also posted in a bot room...

8.8CVSS5.6AI score0.00288EPSS
Exploits0References8Affected Software1
EUVD
EUVD
added 2026/04/01 12:1 a.m.5 views

EUVD-2026-17435

OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade...

5.3CVSS5.8AI score0.00297EPSS
Exploits0References4
OSV
OSV
added 2026/03/19 10:16 p.m.6 views

CVE-2026-32027

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy...

6.5CVSS5.9AI score
Exploits0References4
EUVD
EUVD
added 2026/03/19 1:0 a.m.6 views

EUVD-2026-13021

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist...

4.6CVSS5.8AI score0.00152EPSS
Exploits0References4
OSV
OSV
added 2026/03/03 7:17 p.m.2 views

GHSA-JV6R-27WW-4GW4 OpenClaw DM pairing-store identities could satisfy group allowlist authorization

Summary DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths. Details In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via D...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References6
Snyk
Snyk
added 2026/03/02 10:14 p.m.1 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the group allowlist authorization. An attacker can gain unauthorized access to group communications by leveraging DM pairing-store approvals to bypass explicit...

4.6CVSS5.9AI score0.00152EPSS
Exploits0References2
Rows per page
Query Builder