CVE-2026-32027
OpenClaw DM pairing-store identities could satisfy group allowlist authorization
Description
## Summary DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths. ## Details In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via DM pairing could satisfy group sender allowlist checks without being explicitly present in `groupAllowFrom`. This is an authorization-policy boundary issue between DM pairing and group allowlists. ## Affected Packages / Versions - `openclaw` (npm): affected `<= 2026.2.25` (latest published npm version at triage time) - `openclaw` (npm): patched `>= 2026.2.26` (planned next release) ## Fix Commit(s) - `openclaw/openclaw@8bdda7a651c21e98faccdbbd73081e79cffe8be0` - `openclaw/openclaw@051fdcc428129446e7c084260f837b7284279ce9` ## Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm release is published, maintainers can publish the advisory without additional metadata edits. ## Maintainer Timeline Note Maintainers landed the initial fix before this report was filed; this report still provided useful independent confirmation of the issue class and exploit path. OpenClaw thanks @tdjackey for reporting.
How to fix CVE-2026-32027
To remediate CVE-2026-32027, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.26 or later
Is CVE-2026-32027 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.2.26