CVE-2026-32006: OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback

March 3, 2026 (updated March 19, 2026)

In openclaw@2026.2.25, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist.

A sender that was only DM-paired (not explicitly present in groupAllowFrom) could pass group sender checks for message and reaction ingress.

Per OpenClaw’s SECURITY.md trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation.

References

github.com/advisories/GHSA-25pw-4h6w-qwvm
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/1aadf26f9acc399affabd859937a09468a9c5cb4
github.com/openclaw/openclaw/security/advisories/GHSA-25pw-4h6w-qwvm
nvd.nist.gov/vuln/detail/CVE-2026-32006

Code Behaviors & Features

Detect and mitigate CVE-2026-32006 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →