Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.3

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist re...

GHSA-jwf4-8wf4-jf2m CVE-2026-22170
Summary

OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by expl...

What to do
  • Update steipete openclaw to version 2026.2.22.
Affected software
VendorProductAffected versionsFix available
steipete openclaw <= 2026.2.22 2026.2.22
Original title
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist re...
Original description
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by exploiting the misconfigured allowlist validation logic to bypass intended sender authorization checks.
osv CVSS4.0 7.3
Vulnerability type
CWE-863 Incorrect Authorization
Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026