CVE-2026-32050
LOWOpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass
Title source: cnaDescription
OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-792q-qw95-f446)
https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass
https://www.vulncheck.com/advisories/openclaw-unauthorized-reaction-status-event-enqueue-via-access-check-bypass
Scores
CVSS v3
3.7
EPSS
0.0021
EPSS Percentile
11.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (4)
npm/openclaw
0 - 2026.2.25npm
OpenClaw/OpenClaw
< 2026.2.25
openclaw/openclaw
< 2026.2.25
OpenClaw/OpenClaw
2026.2.25
Published
Mar 21, 2026
Tracked Since
Mar 21, 2026