CVE-2026-26328

MEDIUM

OpenClaw <2026.2.14 - Privilege Escalation

Title source: llm

Description

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m

[Patch] https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59

View Patch ZIP pw:eip

[Release Notes] https://github.com/openclaw/openclaw/releases/tag/v2026.2.14

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 2.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863 CWE-284

Status published

Products (3)

npm/clawdbot 0 - 2026.2.14npm

npm/openclaw 0 - 2026.2.14npm

openclaw/openclaw < 2026.2.14

Published Feb 20, 2026

Tracked Since Feb 20, 2026