CVE-2026-31991

描述

### Summary In OpenClaw `2026.2.25`, Signal group authorization under `groupPolicy=allowlist` could accept sender identities sourced from DM pairing-store approvals. This allowed DM pairing approvals to leak into group allowlist evaluation. ### Impact This is an authorization-boundary weakness between DM pairing and group allowlist controls. A sender approved for DM pairing could pass group checks without explicit group allowlisting. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published version affected: `2026.2.25` - Vulnerable range: `<= 2026.2.25` - Patched version (planned next release): `>= 2026.2.26` ### Fix OpenClaw now keeps DM pairing-store entries DM-only and enforces explicit group allowlist boundaries in shared DM/group policy resolution used by Signal and other channels. ### Fix Commit(s) - `8bdda7a651c21e98faccdbbd73081e79cffe8be0` - `64de4b6d6ae81e269ceb4ca16f53cda99ced967a` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.26`). After npm publish of that version, this advisory is ready to publish without further content edits. Thanks @tdjackey for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.26

CVSS 分數

參考連結(6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-31991
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/64de4b6d6ae81e269ceb4ca16f53cda99ced967a
• WEBhttps://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w
• WEBhttps://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-leakage-in-signal-group-allowlist