PT-2026-26732 · Openclaw · Openclaw
Tdjackey
·
Published
2026-03-03
·
Updated
2026-03-21
·
CVE-2026-32050
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.25
Description
The software contains an access control issue in how signal reaction notifications are handled. This allows unauthorized senders to add status events before authorization is confirmed. Specifically, attackers can use the reaction-only event path within the
event-handler.ts file to queue signal reaction status lines for sessions without proper Direct Message (DM) or group access validation.Recommendations
Update to version 2026.2.25 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw