CVE-2026-32027

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9	Patch
https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-dm-pairing-store-identity-inheritance-in-group-allowlist	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

26 Mar 2026, 17:16

Type	Values Removed	Values Added
Summary		(es) Las versiones de OpenClaw anteriores a 2026.2.26 contienen una vulnerabilidad de omisión de autorización donde las identidades del almacén de emparejamiento de MD son incorrectamente elegibles para las comprobaciones de autorización de la lista de permitidos del grupo. Los atacantes pueden explotar esta falla de autorización de contexto cruzado utilizando un remitente aprobado mediante emparejamiento de MD para satisfacer las comprobaciones de la lista de permitidos del remitente del grupo sin presencia explícita en groupAllowFrom, omitiendo los controles de acceso a mensajes del grupo.
CWE	~~CWE-22~~

23 Mar 2026, 15:25

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9 -~~	() https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9 - Patch
References	~~() https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0 -~~	() https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-dm-pairing-store-identity-inheritance-in-group-allowlist -~~	() https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-dm-pairing-store-identity-inheritance-in-group-allowlist - Third Party Advisory
CWE		CWE-863
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-26 17:16

NVD link : CVE-2026-32027

Mitre link : CVE-2026-32027

CVE.ORG link : CVE-2026-32027

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-863

Incorrect Authorization

6.5 /10