CVE-2026-26328

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3

Description When iMessage is configured with groupPolicy=allowlist, group authorization could be satisfied by sender identities from the DM pairing store, extending DM trust into group contexts. The vulnerable logic in src/imessage/monitor/monitor-provider.ts derived effectiveGroupAllowFrom using both the static group allowlist and DM pairing-store identities (storeAllowFrom). This allowed a sender approved via DM pairing to satisfy group authorization in groups, even if not explicitly listed in groupAllowFrom, weakening the separation between DM pairing and group allowlist authorization.

Recommendations Update OpenClaw to version 2026.2.14 or later. Update clawdbot to version 2026.1.24-3 or later.