CVE-2026-32027 OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy...

GHSA-JV6R-27WW-4GW4 OpenClaw DM pairing-store identities could satisfy group allowlist authorization

Summary DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths. Details In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via D...

PT-2026-26408

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.26 Description OpenClaw is affected by an authorization bypass issue where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. This cross-context authorization flaw...

GHSA-G34W-4XQQ-H79M OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities

Summary Under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Details Affected component: src/imessage/monitor/monitor-provider.ts. Vulnerable logic derived effectiveGroupAllowFr...