CVE-2026-32006 LOW

CVE-2026-32006: OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Fallback in Group Allowlist

Vendor Openclaw
Product OpenClaw
Weakness CWE-863 · Incorrect authorization
Published March 19, 2026
Last update March 20, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 20, 2026 Record updated

Related vulnerabilities

04Related CVE