CVE-2026-32050
OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass
CVSS Score
3.7
EPSS Score
0.0%
EPSS Percentile
7th
OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.
| CWE | CWE-863 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Mar 21, 2026 |
| Last Updated | Mar 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new low vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
OpenClaw / OpenClaw
0 < 2026.2.25
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446 github.com: https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-unauthorized-reaction-status-event-enqueue-via-access-check-bypass
Credits
๐ tdjackey