PT-2026-26231 · Openclaw · Openclaw
Tdjackey
·
Published
2026-02-26
·
Updated
2026-03-20
·
CVE-2026-31991
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.26
Description
OpenClaw contains an authorization bypass issue where the Signal group allowlist policy incorrectly accepts sender identities from direct message (DM) pairing-store approvals. This allows attackers to bypass group allowlist checks and gain unauthorized group access by obtaining DM pairing approval. The issue is an authorization-boundary weakness between DM pairing and group allowlist controls. A sender approved for DM pairing could pass group checks without explicit group allowlisting.
Recommendations
OpenClaw versions prior to 2026.2.26 should be updated to version 2026.2.26 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw