← Back to CVEs
CVE-2026-32050
LOW3.7
Description
OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.
CVE Details
CVSS v3.1 Score3.7
SeverityLOW
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionNONE
Published3/21/2026
Last Modified3/23/2026
Sourcenvd
Honeypot Sightings0
Affected Products
openclaw:openclaw
Weaknesses (CWE)
CWE-863
References
https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446(disclosure@vulncheck.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.