CVE-2026-32050
Received Received - Intake
Access Control Bypass in OpenClaw Signal Reaction Handling

Publication date: 2026-03-21

Last updated on: 2026-03-23

Assigner: VulnCheck

Description
OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32050
EUVD
EUVD-2026-13947
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32050 is an access control vulnerability in OpenClaw versions prior to 2026.2.25. It occurs in the signal reaction notification handling mechanism, specifically in the reaction-only event path within the file event-handler.ts.

This flaw allows unauthorized attackers to enqueue reaction status events for sessions without proper direct message (DM) or group access validation, effectively bypassing authorization checks.

The vulnerability is classified under CWE-863 (Incorrect Authorization), meaning authorization checks are performed but not correctly enforced.

Impact Analysis

This vulnerability allows unauthorized senders to enqueue signal reaction status events in sessions where they do not have proper access rights.

While it does not allow unauthorized delivery of normal direct messages or execution of host commands, it can lead to unauthorized injection of reaction status lines, potentially causing confusion or manipulation of session state.

The impact on integrity is low, and there is no impact on confidentiality or availability, but the unauthorized enqueueing of events can still affect the trustworthiness of session interactions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the vulnerability CVE-2026-32050, you should upgrade OpenClaw to version 2026.2.25 or later.

This update enforces proper authorization checks before enqueuing reaction notification status events, preventing unauthorized senders from bypassing access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart