CVE-2026-32006
OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
Description
### Summary In `[email protected]`, BlueBubbles group authorization could incorrectly treat DM pairing-store identities as group allowlist identities when `dmPolicy=pairing` and `groupPolicy=allowlist`. A sender that was only DM-paired (not explicitly present in `groupAllowFrom`) could pass group sender checks for message and reaction ingress. Per OpenClaw's `SECURITY.md` trust model, this is a constrained authorization-consistency issue, not a multi-tenant boundary bypass or host-privilege escalation. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version at triage time: `2026.2.25` - Affected versions: `<= 2026.2.25` - Patched versions: `>= 2026.2.26` (planned next release) ### Technical Details Root cause was DM/group allowlist composition where DM pairing-store identities could flow into group authorization decisions. Fix approach: - centralize DM/group authorization composition via shared resolvers - remove local DM/group list recomposition at channel callsites - add cross-channel regression coverage for message + reaction ingress - add CI guard to block future pairing-store leakage into group auth composition ### Impact - Affects deployments using BlueBubbles with `groupPolicy=allowlist` and `dmPolicy=pairing` when pairing-store entries are present. - Could allow DM-authorized identities to be treated as group-authorized without explicit `groupAllowFrom` membership. - Does **not** bypass gateway auth, sandbox boundaries, or create new host-level privilege beyond existing DM authorization. ### Fix Commit(s) - `051fdcc428129446e7c084260f837b7284279ce9` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, this advisory can be published without further content edits. OpenClaw thanks @tdjackey for reporting.
How to fix CVE-2026-32006
To remediate CVE-2026-32006, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.26 or later
Is CVE-2026-32006 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.