CVE-2026-32027

描述

## Summary DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths. ## Details In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via DM pairing could satisfy group sender allowlist checks without being explicitly present in `groupAllowFrom`. This is an authorization-policy boundary issue between DM pairing and group allowlists. ## Affected Packages / Versions - `openclaw` (npm): affected `<= 2026.2.25` (latest published npm version at triage time) - `openclaw` (npm): patched `>= 2026.2.26` (planned next release) ## Fix Commit(s) - `openclaw/openclaw@8bdda7a651c21e98faccdbbd73081e79cffe8be0` - `openclaw/openclaw@051fdcc428129446e7c084260f837b7284279ce9` ## Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm release is published, maintainers can publish the advisory without additional metadata edits. ## Maintainer Timeline Note Maintainers landed the initial fix before this report was filed; this report still provided useful independent confirmation of the issue class and exploit path. OpenClaw thanks @tdjackey for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.26

CVSS 分數

參考連結(6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32027
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9
• WEBhttps://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4
• WEBhttps://www.vulncheck.com/advisories/openclaw-improper-authorization-via-dm-pairing-store-identity-inheritance-in-group-allowlist