CVE-2026-26328 MEDIUM

CVE-2026-26328: OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities

Vendor Openclaw

Product openclaw

Weakness CWE-284

Published February 19, 2026

Last update February 20, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.

Key dates

02Disclosure timeline

February 19, 2026 CVE published

February 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-26328 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

Identifiers

CVE CVE-2026-26328

CWE CWE-284

CVSS 6.5 / MEDIUM

Affected versions

Vendor Openclaw

Product openclaw

Affected < 2026.2.14

Vendor Openclaw

Product clawdbot

Affected <= 2026.1.24-3

CVE-2026-26328: OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities

01Description

02Disclosure timeline

03References

04Related CVE