OpenClaw, Authorization Bypass (no CVE)

Listen to this Post

The vulnerability resides in the iMessage monitoring component (monitor-provider.ts) when `groupPolicy` is set to allowlist. The function responsible for determining authorized senders, effectiveGroupAllowFrom, incorrectly merges two distinct identity sources: the static group allowlist and the identities stored from Direct Message (DM) pairings. This logic flaw means that if a sender has previously established a DM pairing with the bot (and thus exists in the storeAllowFrom), that approval bleeds into the group context. Consequently, a sender who is not listed in the group’s specific allowlist can still bypass group authorization checks because the system accepts their DM-paired identity as sufficient proof to post messages in a group. This weakens the intended boundary separation between one-on-one DM trust and multi-user group trust, allowing unauthorized participants to interact with the group channel.

dailycve form:

Platform: openclaw/clawdbot npm
Version: <=2026.2.13,<=2026.1.24-3
Vulnerability: group auth bypass
Severity: high
date: 2026-02-18

Prediction: Patched (872079d)

What Undercode Say:

Analytics:

The vulnerable logic combined two distinct authorization sets (DM store and group allowlist) without a proper security context switch . The impact is primarily a breach of trust boundaries in group chats.

Exploit:

1. Establish DM pairing with target OpenClaw bot.

2. Send message to group where `groupPolicy=allowlist`.

  1. Exploit: Bot accepts message because sender is in storeAllowFrom, even if not in groupAllowFrom.

Protection from this CVE:

Apply commit 872079d which separates DM and group authorization logic.

Navigate to your openclaw directory
cd /path/to/openclaw
Pull the latest fixes or apply the specific commit
git pull origin main
Or if you need the specific commit:
git cherry-pick 872079d42fe105ece2900a1dd6ab321b92da2d59
Rebuild/restart your OpenClaw instance
npm run build
pm2 restart openclaw or your specific process manager command

Impact:

Allows unauthorized DM-paired senders to participate in restricted groups, breaking security policies.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top