CVE-2026-32050

Description

### Summary In a narrow Signal reaction-notification path, reaction-only inbound events could enqueue a status event before sender access checks were applied. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.24` (latest published at patch time) - Fixed: `2026.2.25` ### Details In the affected flow (`src/signal/monitor/event-handler.ts`), reaction-only handling could return after `enqueueSystemEvent(...)` before DM/group authorization checks were evaluated for that sender. This behavior was limited to reaction-only inbound events with reaction notifications enabled. In that case, a sender not authorized for normal DM flow could still queue a Signal reaction status line for that session. The fix applies shared DM/group access checks before reaction notification enqueue. Pairing behavior for normal DM messages is unchanged. ### Impact - Limited to Signal reaction-only inbound events. - Could add an unauthorized reaction status line to agent context for affected sessions. - Did not directly enable normal DM delivery or direct host command execution. ### Fix Commit(s) - `2aa7842adeedef423be7ce283a9144b9f1a0a669` ### Release Process Note `patched_versions` is pre-set to `2026.2.25` so once npm release is out, advisory publish can proceed directly. OpenClaw thanks @tdjackey for reporting.

How to fix CVE-2026-32050

To remediate CVE-2026-32050, upgrade the affected package to a fixed version below.

• —upgrade to 2026.2.25 or later

Is CVE-2026-32050 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2026.2.25

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32050
• PATCHgithub.com/openclaw/openclaw
• WEBgithub.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669
• WEBgithub.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446