Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw Allows Unauthorized Users to Send Messages
GHSA-25pw-4h6w-qwvm
Summary
A bug in OpenClaw allows users who are only paired via direct message to send messages to groups they are not explicitly added to. This could let malicious users send messages to groups they shouldn't be able to reach. To fix this, update to the latest version of OpenClaw, which is due out soon.
What to do
- Update openclaw to version 2026.2.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.25 | 2026.2.26 |
Original title
OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
Original description
### Summary
In `[email protected]`, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when `dmPolicy=pairing` and `groupPolicy=allowlist`.
A sender that was only DM-paired (not explicitly present in `groupAllowFrom`) could pass group sender checks for message and reaction ingress.
Per OpenClaw's `SECURITY.md` trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.2.25`
- Affected versions: `<= 2026.2.25`
- Patched versions: `>= 2026.2.26` (planned next release)
### Technical Details
Root cause was DM/group allowlist composition where DM pairing-store identities could flow into group authorization decisions.
Fix approach:
- centralize DM/group authorization composition via shared resolvers
- remove local DM/group list recomposition at channel callsites
- add cross-channel regression coverage for message + reaction ingress
- add CI guard to block future pairing-store leakage into group auth composition
### Impact
- Affects deployments using BlueBubbles with `groupPolicy=allowlist` and `dmPolicy=pairing` when pairing-store entries are present.
- Could allow DM-authorized identities to be treated as group-authorized without explicit `groupAllowFrom` membership.
- Does **not** bypass gateway auth, sandbox boundaries, or create new host-level privilege beyond existing DM authorization.
### Fix Commit(s)
- `051fdcc428129446e7c084260f837b7284279ce9`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, this advisory can be published without further content edits.
OpenClaw thanks @tdjackey for reporting.
In `[email protected]`, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when `dmPolicy=pairing` and `groupPolicy=allowlist`.
A sender that was only DM-paired (not explicitly present in `groupAllowFrom`) could pass group sender checks for message and reaction ingress.
Per OpenClaw's `SECURITY.md` trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.2.25`
- Affected versions: `<= 2026.2.25`
- Patched versions: `>= 2026.2.26` (planned next release)
### Technical Details
Root cause was DM/group allowlist composition where DM pairing-store identities could flow into group authorization decisions.
Fix approach:
- centralize DM/group authorization composition via shared resolvers
- remove local DM/group list recomposition at channel callsites
- add cross-channel regression coverage for message + reaction ingress
- add CI guard to block future pairing-store leakage into group auth composition
### Impact
- Affects deployments using BlueBubbles with `groupPolicy=allowlist` and `dmPolicy=pairing` when pairing-store entries are present.
- Could allow DM-authorized identities to be treated as group-authorized without explicit `groupAllowFrom` membership.
- Does **not** bypass gateway auth, sandbox boundaries, or create new host-level privilege beyond existing DM authorization.
### Fix Commit(s)
- `051fdcc428129446e7c084260f837b7284279ce9`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, this advisory can be published without further content edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
5.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026