CVE-2026-31991
Authorization Bypass in OpenClaw Signal Group Allowlist Policy
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31991 is an authorization bypass vulnerability in OpenClaw versions prior to 2026.2.26. The issue occurs because the Signal group allowlist policy incorrectly accepts sender identities based on direct message (DM) pairing-store approvals. This means that if an attacker obtains DM pairing approval, they can bypass the group allowlist checks and gain unauthorized access to Signal groups.
The root cause is that DM pairing-store entries were improperly included in group sender authorization checks, allowing DM approvals to leak into group authorization decisions. The fix enforces strict separation between DM and group allowlists, requiring explicit group allowlist entries for group message authorization and preventing DM pairing approvals from affecting group allowlist evaluations.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has been approved for direct message (DM) pairing to bypass group allowlist restrictions and gain unauthorized access to Signal groups. This unauthorized access could enable the attacker to send messages or execute commands within groups they should not have access to.
Such unauthorized group access undermines the intended access control policies, potentially exposing sensitive group communications and allowing malicious actors to disrupt or manipulate group interactions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unauthorized group message access that bypasses group allowlist policies due to improper acceptance of sender identities from DM pairing-store approvals.'}, {'type': 'paragraph', 'content': "Since the vulnerability relates to authorization bypass in OpenClaw's Signal group allowlist, detection can be aided by enabling verbose logging of message processing and authorization decisions, especially focusing on group message handling and DM pairing approvals."}, {'type': 'paragraph', 'content': 'The patch introduced detailed verbose logging for blocked messages and pairing requests, including reasons for denial and metadata about the sender and allow list matches. Reviewing these logs can help detect attempts to exploit the vulnerability.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but you can check logs for entries indicating group messages being dropped due to authorization failures or pairing requests being created unexpectedly.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenClaw to version 2026.2.26 or later, where the vulnerability has been fixed.
The fix enforces strict separation between DM pairing-store approvals and group allowlist authorization, ensuring that DM pairing approvals cannot be used to bypass group allowlist checks.
- Upgrade OpenClaw to version 2026.2.26 or newer.
- Review and enforce explicit group allowlist policies (`groupAllowFrom`) to ensure group message authorization is properly restricted.
- Enable and monitor verbose logging for message authorization decisions to detect any unauthorized access attempts.
These steps prevent unauthorized group access by ensuring that DM pairing approvals apply only to direct messages and do not affect group message authorization.