Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
iMessage Group Authorization Bypass via DM Pairing
CVE-2026-26328
GHSA-g34w-4xqq-h79m
Summary
A vulnerability in OpenClaw's iMessage group authorization allows a sender approved via direct message pairing to access group conversations even if they're not explicitly allowed. This could lead to unauthorized access to sensitive information. Update to the latest version of OpenClaw (>= 2026.2.14) or clawdbot (>= 2026.1.24-4) to fix the issue.
What to do
- Update steipete openclaw to version 2026.2.14.
- Update steipete clawdbot to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| steipete | clawdbot | <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | <= 2026.2.14 | – |
Original title
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
Original description
## Summary
Under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts.
## Details
Affected component: `src/imessage/monitor/monitor-provider.ts`.
Vulnerable logic derived `effectiveGroupAllowFrom` using both the static group allowlist and DM pairing-store identities (`storeAllowFrom`). This allowed a sender approved via DM pairing to satisfy group authorization in groups even if the sender/chat was not explicitly present in `groupAllowFrom`.
This weakens boundary separation between DM pairing and group allowlist authorization.
## Affected Packages / Versions
- `openclaw` (npm): affected `<= 2026.2.13`
- `clawdbot` (npm): affected `<= 2026.1.24-3`
## Fix Commit(s)
- `openclaw/openclaw@872079d42fe105ece2900a1dd6ab321b92da2d59`
- `openclaw/openclaw@90d1e9cd71419168b2faa54a759b124a3eacfae7`
Thanks @vincentkoc for reporting.
Under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts.
## Details
Affected component: `src/imessage/monitor/monitor-provider.ts`.
Vulnerable logic derived `effectiveGroupAllowFrom` using both the static group allowlist and DM pairing-store identities (`storeAllowFrom`). This allowed a sender approved via DM pairing to satisfy group authorization in groups even if the sender/chat was not explicitly present in `groupAllowFrom`.
This weakens boundary separation between DM pairing and group allowlist authorization.
## Affected Packages / Versions
- `openclaw` (npm): affected `<= 2026.2.13`
- `clawdbot` (npm): affected `<= 2026.1.24-3`
## Fix Commit(s)
- `openclaw/openclaw@872079d42fe105ece2900a1dd6ab321b92da2d59`
- `openclaw/openclaw@90d1e9cd71419168b2faa54a759b124a3eacfae7`
Thanks @vincentkoc for reporting.
nvd CVSS3.1
6.5
Vulnerability type
CWE-284
Improper Access Control
CWE-863
Incorrect Authorization
- https://nvd.nist.gov/vuln/detail/CVE-2026-26328
- https://github.com/advisories/GHSA-g34w-4xqq-h79m
- https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m Patch Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026