Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.0
OpenClaw (prior to 2026.2.26) allows attackers to bypass account approvals
CVE-2026-32067
Summary
If you use OpenClaw versions earlier than 2026.2.26, an attacker who has been approved to send messages in one account can send messages to another account without needing approval. This could allow unauthorized access to sensitive information. Update to OpenClaw 2026.2.26 or later to fix this issue.
Original title
OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing appr...
Original description
OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.
nvd CVSS3.1
3.7
nvd CVSS4.0
2.0
Vulnerability type
CWE-863
Incorrect Authorization
- https://github.com/openclaw/openclaw/commit/a0c5e28f3bf0cc0cd9311f9e9ec2ca035255...
- https://github.com/openclaw/openclaw/commit/bce643a0bd145d3e9cb55400af33bd1b85ba...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vjp8-wprm-2jw9
- https://www.vulncheck.com/advisories/openclaw-cross-account-authorization-bypass...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026