{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26328", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.809Z", "datePublished": "2026-02-19T23:04:12.188Z", "dateUpdated": "2026-02-20T15:38:50.782Z"}, "containers": {"cna": {"title": "OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m"}, {"name": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59"}, {"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"version": "< 2026.2.14", "status": "affected"}]}, {"vendor": "openclaw", "product": "clawdbot", "versions": [{"version": "<= 2026.1.24-3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T23:04:12.188Z"}, "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue."}], "source": {"advisory": "GHSA-g34w-4xqq-h79m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T15:27:05.967889Z", "id": "CVE-2026-26328", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:38:50.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26328", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T15:27:05.967889Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T15:27:07.440Z"}}], "cna": {"title": "OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities", "source": {"advisory": "GHSA-g34w-4xqq-h79m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"status": "affected", "version": "< 2026.2.14"}]}, {"vendor": "openclaw", "product": "clawdbot", "versions": [{"status": "affected", "version": "<= 2026.1.24-3"}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m", "name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59", "name": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T23:04:12.188Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26328", "state": "PUBLISHED", "dateUpdated": "2026-02-20T15:38:50.782Z", "dateReserved": "2026-02-13T16:27:51.809Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T23:04:12.188Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0F3079A3-9FBD-4E87-821D-5CAF0622C555", "versionEndExcluding": "2026.2.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue."}, {"lang": "es", "value": "OpenClaw es un asistente personal de IA. Antes de la versi\u00f3n 2026.2.14, bajo iMessage 'groupPolicy=allowlist', la autorizaci\u00f3n de grupo pod\u00eda ser satisfecha por identidades de remitente provenientes del almac\u00e9n de emparejamiento de DM, ampliando la confianza de DM a contextos de grupo. La versi\u00f3n 2026.2.14 corrige el problema."}], "id": "CVE-2026-26328", "lastModified": "2026-02-26T18:41:00.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-20T00:16:15.523", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.1.24-3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "clawdbot", "source": "cna", "vendor": "openclaw"}, "product": "clawdbot", "vendor": "openclaw"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openclaw", "source": "cna", "vendor": "openclaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-04-18T11:40:34.120014+00:00", "value": {"mitigation_remediation": ["Upgrade OpenClaw to version 2026.2.14 or later to apply the vendor\u2011supplied fix.", "If immediate upgrade is not possible, disable the groupPolicy=allowlist setting or enforce stricter group membership verification to prevent unvetted identities from being accepted.", "Audit the DM pairing store and restrict the creation of new identities to trusted users only, ensuring that compromised or rogue identities cannot be leveraged for group access."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation via Inherited DM Pairing Store Identities"}, "threat_synthesis": {"affected_systems": "The vulnerability affects OpenClaw\u2019s openclaw and clawdbot components on all versions released before 2026.2.14. The fix was deployed in release v2026.2.14; later releases contain the corrected group authorization logic.", "description_and_impact": "OpenClaw\u2019s group authorization system allowed group messages to be trusted based on identities stored in the DM pairing store when the group policy was set to allowlist. This flaw let an attacker who could supply a DM pairing store identity bypass all other group membership checks, thereby gaining membership and access to group messages that the user had not explicitly approved. The weakness arises from insufficient authorization checks, classified as CWE\u2011284 and CWE\u2011863. With this capability, an attacker can read, post, or forward messages within the group, compromising confidentiality, integrity, and potentially availability of the group communication.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. EPSS is below 1\u202f%, suggesting a low probability of exploitation in the wild, and the issue is not present in CISA\u2019s KEV catalog. It is inferred that exploitation would require the ability to insert or impersonate a DM pairing store identity, which might imply a privileged or compromised local user, limiting the attack surface. Nonetheless, any system where iMessage group communications are used for sensitive exchanges should treat this as a potential attack vector and apply the patch promptly."}}}}, "created": "2026-02-20T09:53:32.267367+00:00", "updated": "2026-04-18T11:45:44.598024+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$clawdbot", "openclaw$PRODUCT$openclaw"]}