Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
LINE Configuration Allows Unauthorized Access to Groups
GHSA-gp3q-wpq4-5c5h
Summary
A configuration issue in LINE's OpenClaw package can allow unauthorized users to access groups. This is a security risk because it can let people who weren't supposed to access a group get in. To fix this, update OpenClaw to version 2026.2.26 or later.
What to do
- Update openclaw to version 2026.2.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.25 | 2026.2.26 |
Original title
OpenClaw: LINE group allowlist scope mismatch with DM pairing-store entries
Original description
### Summary
In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version at triage/update time: `2026.2.25`
- Affected: `<= 2026.2.25`
- Patched: `>= 2026.2.26` (planned next release)
### Impact
This is a group-authorization scope mismatch. DM pairing-store entries could influence group sender authorization in allowlist mode.
### Technical Details
Root cause: group allowlist composition inherited pairing-store entries intended for DM approvals. Under default DM pairing policy, a DM-paired sender could match group allowlist checks.
Fixes on `main`:
- isolate group allowlist composition from pairing-store entries
- centralize shared DM/group allowlist composition to preserve DM-only pairing behavior
- add regression coverage for LINE and Mattermost policy paths
### Fix Commit(s)
- `8bdda7a651c21e98faccdbbd73081e79cffe8be0`
- `892a9c24b0f6118729ab5b5f5499b1a7e792dd15` (follow-up refactor hardening)
### Release Process Note
`patched_versions` is pre-set to `>= 2026.2.26` so once npm `2026.2.26` is published, this advisory can be published directly without additional version-field edits.
Thanks @tdjackey for reporting.
In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version at triage/update time: `2026.2.25`
- Affected: `<= 2026.2.25`
- Patched: `>= 2026.2.26` (planned next release)
### Impact
This is a group-authorization scope mismatch. DM pairing-store entries could influence group sender authorization in allowlist mode.
### Technical Details
Root cause: group allowlist composition inherited pairing-store entries intended for DM approvals. Under default DM pairing policy, a DM-paired sender could match group allowlist checks.
Fixes on `main`:
- isolate group allowlist composition from pairing-store entries
- centralize shared DM/group allowlist composition to preserve DM-only pairing behavior
- add regression coverage for LINE and Mattermost policy paths
### Fix Commit(s)
- `8bdda7a651c21e98faccdbbd73081e79cffe8be0`
- `892a9c24b0f6118729ab5b5f5499b1a7e792dd15` (follow-up refactor hardening)
### Release Process Note
`patched_versions` is pre-set to `>= 2026.2.26` so once npm `2026.2.26` is published, this advisory can be published directly without additional version-field edits.
Thanks @tdjackey for reporting.
ghsa CVSS3.1
7.1
Vulnerability type
CWE-863
Incorrect Authorization
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026