OpenClaw Authorization Bypass Vulnerability (CNVD-2026-14837)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an authorization bypass vulnerability that stems from the system incorrectly treating DM paired stored identities as group allowlist identities when dmPolicy is set to pairing and groupPolicy is set to...

CVE-2026-32006

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities...

CVE-2026-32006

CVE-2026-32006 affects OpenClaw versions prior to 2026.2.26. The issue is an authorization bypass where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. This allows remote attackers to send messages and reactions as...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an authorization bypass vulnerability that stems from the system incorrectly treating DM paired stored identities as group allowlist identities when dmPolicy is set to pairing and groupPolicy is set to...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the isAllowedParsedChatSender process. An attacker can gain unauthorized access to direct messaging or reaction features by sending messages from an untrusted...

PT-2026-26004

Summary BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset. Severity Rationale Medium Severity is set to medium because: - this...

OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback

Summary In [email protected], BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. A sender that was only DM-paired not explicitly present in groupAllowFrom could pass group sender check...

Incorrect Authorization

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Incorrect Authorization in the group authorization process when groupPolicy=allowlist and dmPolicy=pairing are configured and pairing-store entries are present. An attacker can gain...