CVE-2026-22170: OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty
(updated )
BlueBubbles is an optional OpenClaw channel plugin. A configuration-sensitive access-control mismatch allowed DM senders to be treated as authorized when dmPolicy was pairing or allowlist and allowFrom was empty/unset.
References
- github.com/advisories/GHSA-jwf4-8wf4-jf2m
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/2ba6de7eaad812e5e8603018e14e54e96bdd57dd
- github.com/openclaw/openclaw/commit/4540790cb62412676f7b61cfc6e47443f84a251e
- github.com/openclaw/openclaw/commit/51c0893673de8e5cea64e64351dbfa4680ba0dec
- github.com/openclaw/openclaw/commit/9632b9bcf032c5f2280c3103961fde912ab1f920
- github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m
- nvd.nist.gov/vuln/detail/CVE-2026-22170
Code Behaviors & Features
Detect and mitigate CVE-2026-22170 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →