CVE-2026-26328
Authorization Bypass in OpenClaw iMessage Group Policy Allows Trust Escalation
Publication date: 2026-02-20
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26328 is a vulnerability in the OpenClaw personal AI assistant affecting versions prior to 2026.2.14. When the iMessage groupPolicy is set to "allowlist", the system incorrectly allows group authorization to be satisfied by sender identities coming from the Direct Message (DM) pairing store. This means that identities authorized for direct messages could also gain unauthorized access to group contexts, broadening trust beyond intended boundaries.'}, {'type': 'paragraph', 'content': 'The root cause is improper access control and incorrect authorization checks, where the system combines the static group allowlist with DM pairing-store identities to determine group authorization. This flaw allows a sender authorized only for direct messages to execute commands in group contexts without explicit group membership.'}, {'type': 'paragraph', 'content': 'The issue was fixed in OpenClaw version 2026.2.14 by removing the inheritance of DM pairing-store identities for group authorization.'}] [3, 1]
How can this vulnerability impact me? :
This vulnerability allows unauthorized users, who are authorized only for direct messages, to gain high integrity access in group contexts. Specifically, they can execute or modify group commands without explicit permission.
While the vulnerability does not affect confidentiality or availability, it poses a significant risk to the integrity of group communications and commands, potentially leading to unauthorized modifications or actions within group chats.
Exploitation requires network access but has low complexity and does not require user interaction, making it easier for attackers with limited privileges to abuse.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability arises from improper authorization checks in OpenClaw versions prior to 2026.2.14, specifically when the iMessage groupPolicy is set to 'allowlist'. Detection involves verifying if your OpenClaw installation is running a vulnerable version (β€ 2026.2.13) and if the groupPolicy is configured as 'allowlist'."}, {'type': 'paragraph', 'content': 'Since the issue involves group authorization incorrectly inheriting identities from the DM pairing store, you can check your OpenClaw configuration files or logs for the presence of DM pairing-store identities being used in group authorization contexts.'}, {'type': 'paragraph', 'content': 'There are no explicit commands provided in the resources for detecting this vulnerability on your network or system. However, general steps include:'}, {'type': 'list_item', 'content': 'Check the OpenClaw version installed by running a version command such as `openclaw --version` or checking the installed package version.'}, {'type': 'list_item', 'content': "Review the iMessage groupPolicy setting in your OpenClaw configuration to see if it is set to 'allowlist'."}, {'type': 'list_item', 'content': 'Audit logs or message routing debug logs (if enabled) for evidence of sender identities from the DM pairing store being authorized in group contexts.'}, {'type': 'paragraph', 'content': 'For more detailed debugging, the release notes mention added debug logging for message routing decisions in Discord and other platforms, which might be analogous or helpful if similar logging exists for iMessage in your OpenClaw setup.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to upgrade OpenClaw to version 2026.2.14 or later, where this vulnerability has been fixed by removing the inheritance of DM pairing-store identities for group authorization.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, consider reviewing and tightening your iMessage groupPolicy settings to avoid using 'allowlist' or to restrict group authorization explicitly to known identities, avoiding reliance on DM pairing-store identities."}, {'type': 'paragraph', 'content': 'Additionally, enable and review debug logging for message routing and authorization decisions to monitor for unauthorized group access attempts.'}, {'type': 'paragraph', 'content': 'Ultimately, upgrading to the fixed version is strongly recommended to fully address the issue.'}] [2, 3]