PT-2026-25133 · Npm · Openclaw
Published
2026-03-02
·
Updated
2026-03-02
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N |
Summary
In OpenClaw
2026.2.25, Signal group authorization under groupPolicy=allowlist could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation.Impact
This is an authorization-boundary weakness between DM pairing and group allowlist controls. A sender approved for DM pairing could pass group checks without explicit group allowlisting.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version affected:
2026.2.25 - Vulnerable range:
<= 2026.2.25 - Patched version (planned next release):
>= 2026.2.26
Fix
OpenClaw now keeps DM pairing-store entries DM-only and enforces explicit group allowlist boundaries in shared DM/group policy resolution used by Signal and other channels.
Fix Commit(s)
8bdda7a651c21e98faccdbbd73081e79cffe8be064de4b6d6ae81e269ceb4ca16f53cda99ced967a
Release Process Note
patched versions is pre-set to the planned next release (2026.2.26). After npm publish of that version, this advisory is ready to publish without further content edits.Thanks @tdjackey for reporting.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw