CVE-2026-32006: OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
(updated )
In openclaw@2026.2.25, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist.
A sender that was only DM-paired (not explicitly present in groupAllowFrom) could pass group sender checks for message and reaction ingress.
Per OpenClaw’s SECURITY.md trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.
References
- github.com/advisories/GHSA-25pw-4h6w-qwvm
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9
- github.com/openclaw/openclaw/commit/1aadf26f9acc399affabd859937a09468a9c5cb4
- github.com/openclaw/openclaw/security/advisories/GHSA-25pw-4h6w-qwvm
- nvd.nist.gov/vuln/detail/CVE-2026-32006
- www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-fallback-in-group-allowlist
Code Behaviors & Features
Detect and mitigate CVE-2026-32006 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →