CVE-2026-32899

CVSS v3.1

4.3

Medium

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction * and pin * non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from restricted senders.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-32899

Affected Products

Openclaw

CVE-2026-32899

Weakness Enumeration

Related Identifiers

Affected Products

References · 5