CVE-2026-32006

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.26

Description OpenClaw contains an authorization bypass issue where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. This allows remote attackers to send messages and reactions as DM-paired identities without explicit group allowlist membership, bypassing group sender authorization checks. The root cause was DM/group allowlist composition where DM pairing-store identities could be included in group authorization decisions. This issue affects deployments using BlueBubbles with groupPolicy=allowlist and dmPolicy=pairing when pairing-store entries are present. The issue does not bypass gateway authentication or sandbox boundaries. The fix centralizes DM/group authorization composition via shared resolvers, removes local DM/group list recomposition at channel callsites, adds cross-channel regression coverage, and adds a CI guard to block future pairing-store leakage into group authorization composition.

Recommendations OpenClaw versions prior to 2026.2.26 should be updated to version 2026.2.26 or later.