CVE-2026-32027

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.26

Description OpenClaw is affected by an authorization bypass issue where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. This cross-context authorization flaw allows attackers to use a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls. The issue stems from group allowlist evaluation inheriting identities from the DM pairing store. The vulnerable component involves authorization-policy boundaries between DM pairing and group allowlists.

Recommendations Versions prior to 2026.2.26 should be updated to version 2026.2.26 or later.

Fix

Improper Authorization

Path traversal

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-22CWE-863

Related Identifiers

CVE-2026-32027

GHSA-JV6R-27WW-4GW4

Affected Products

Openclaw

CVE-2026-32027

Weakness Enumeration

Related Identifiers

Affected Products

References · 10