CVE-2026-32005

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.25

Description OpenClaw fails to enforce sender authorization checks for interactive callbacks, including block action, view submission, and view closed, in shared workspace deployments. This allows unauthorized workspace members to bypass restrictions and inject system-event text into active sessions. The issue does not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation. The vulnerable component relies on sender restrictions such as allowFrom, DM policy, or channel user allowlists.

Recommendations Update to version 2026.2.25 or later.