CVE-2026-31991 LOW

CVE-2026-31991: OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist

Vendor Openclaw
Product OpenClaw
Weakness CWE-863 · Incorrect authorization
Published March 19, 2026
Last update March 19, 2026

CVSS base score

2.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 19, 2026 Record updated