← Retour aux CVEs

CVE-2026-31991

LOW

3.7

Description

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.

Details CVE

Score CVSS v3.13.7

SeveriteLOW

Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Vecteur d'attaqueNETWORK

ComplexiteHIGH

Privileges requisLOW

Interaction utilisateurREQUIRED

Publie3/19/2026

Derniere modification3/19/2026

Sourcenvd

Observations honeypot0

Produits affectes

openclaw:openclaw

Faiblesses (CWE)

CWE-863

References

https://github.com/openclaw/openclaw/commit/64de4b6d6ae81e269ceb4ca16f53cda99ced967a(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-leakage-in-signal-group-allowlist(disclosure@vulncheck.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.