CVE-2026-32006 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32006 affects OpenClaw versions prior to 2026.2.26 and represents a critical authorization bypass flaw that undermines the security model of the messaging system. This vulnerability specifically targets the interaction between device management policies and group access controls, creating a scenario where unauthorized message transmission becomes possible through a misconfiguration in identity validation mechanisms. The flaw exploits the improper handling of DM pairing-store identities within the context of group allowlist policies, fundamentally compromising the intended access controls that should prevent unauthorized participation in group communications.
The technical implementation of this vulnerability stems from a logic error in the authorization validation process where the system fails to properly distinguish between identities that are legitimately authorized through group allowlist membership versus those that have been authenticated through device pairing mechanisms. When dmPolicy is set to pairing and groupPolicy is set to allowlist, the system incorrectly treats DM-paired identities as if they possess the same authorization level as explicitly allowed group members. This misclassification occurs at the policy enforcement layer where the system should be performing strict identity verification before allowing message transmission to group channels. The vulnerability manifests as a failure in the access control decision-making process, where the pairing store credentials are given inappropriate weight in group authorization decisions.
The operational impact of this vulnerability is significant as it allows remote attackers to effectively impersonate legitimate DM-paired users within group contexts without requiring explicit group membership. Attackers can leverage this flaw to send messages and reactions as if they were authorized group members, potentially leading to unauthorized communication within protected group channels. This bypass enables malicious actors to circumvent the intended security boundaries that should prevent unauthorized participation in group discussions, effectively allowing them to inject content into group conversations or react to existing messages without proper authorization. The vulnerability essentially creates a backdoor pathway that undermines the fundamental security assumptions of the messaging system's access control architecture.
From a cybersecurity perspective, this vulnerability aligns with CWE-284, which addresses improper access control, and represents a specific implementation of weak access control mechanisms. The flaw can be categorized under the ATT&CK technique T1078.004, which covers valid accounts used for unauthorized access, as it allows unauthorized actors to leverage legitimate pairing identities for unauthorized group participation. The vulnerability demonstrates a classic case of privilege escalation through improper authorization checks, where the system fails to enforce proper boundary controls between different types of user identities. Organizations using affected OpenClaw versions face potential data exposure and communication integrity risks, as attackers could manipulate group conversations or spread malicious content through this unauthorized access path.
The recommended mitigation strategy involves immediate deployment of OpenClaw version 2026.2.26 or later, which includes the necessary code fixes to properly distinguish between pairing-store identities and group allowlist identities. Administrators should also review and audit existing device management and group policy configurations to ensure that dmPolicy and groupPolicy settings are properly aligned with the intended security posture. Additional monitoring should be implemented to detect unusual patterns of message transmission from paired identities that might indicate exploitation attempts. The fix addresses the core authorization bypass by implementing proper identity validation logic that correctly enforces the distinction between device pairing credentials and group membership authorization, thereby restoring the intended access control boundaries within the messaging platform.