CVE-2026-32027: OpenClaw DM pairing-store identities could satisfy group allowlist authorization
(updated )
DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths.
References
- github.com/advisories/GHSA-jv6r-27ww-4gw4
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9
- github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0
- github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4
- nvd.nist.gov/vuln/detail/CVE-2026-32027
- www.vulncheck.com/advisories/openclaw-improper-authorization-via-dm-pairing-store-identity-inheritance-in-group-allowlist
Code Behaviors & Features
Detect and mitigate CVE-2026-32027 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →