PT-2026-25407 · Npm · Openclaw

Published

2026-03-03

·

Updated

2026-03-03

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

In openclaw@2026.2.25, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist.
A sender that was only DM-paired (not explicitly present in groupAllowFrom) could pass group sender checks for message and reaction ingress.
Per OpenClaw's SECURITY.md trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version at triage time: 2026.2.25
  • Affected versions: <= 2026.2.25
  • Patched versions: >= 2026.2.26 (planned next release)

Technical Details

Root cause was DM/group allowlist composition where DM pairing-store identities could flow into group authorization decisions.
Fix approach:
  • centralize DM/group authorization composition via shared resolvers
  • remove local DM/group list recomposition at channel callsites
  • add cross-channel regression coverage for message + reaction ingress
  • add CI guard to block future pairing-store leakage into group auth composition

Impact

  • Affects deployments using BlueBubbles with groupPolicy=allowlist and dmPolicy=pairing when pairing-store entries are present.
  • Could allow DM-authorized identities to be treated as group-authorized without explicit groupAllowFrom membership.
  • Does not bypass gateway auth, sandbox boundaries, or create new host-level privilege beyond existing DM authorization.

Fix Commit(s)

  • 051fdcc428129446e7c084260f837b7284279ce9

Release Process Note

patched versions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, this advisory can be published without further content edits.
OpenClaw thanks @tdjackey for reporting.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

GHSA-25PW-4H6W-QWVM

Affected Products

Openclaw