CVE-2026-32027

6.5 MEDIUM

Published: March 19, 2026 Modified: March 19, 2026

Description

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9

Source: disclosure@vulncheck.com

https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0

Source: disclosure@vulncheck.com

https://github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4

Source: disclosure@vulncheck.com

https://www.vulncheck.com/advisories/openclaw-improper-authorization-via-dm-pairing-store-identity-inheritance-in-group-allowlist

Source: disclosure@vulncheck.com

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

6.5 / 10.0

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-22

Related CVEs

CVE-2026-4478 8.1

CVE-2026-4477 3.1

CVE-2026-4476 6.3

CVE-2026-4475 8.8

CVE-2026-4474 2.4