CVE-2026-32005

OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including block action, view submission, and view closed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue system-event text into active sessions.