Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage

GHSA-r849-826x-wgqm

Published Mar 19, 2026 · Modified Mar 20, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-wm8r-w8pf-2v6w. This link is maintained to preserve external references.

Original Description

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-31991
WEB https://github.com/openclaw/openclaw/commit/64de4b6d6ae81e269ceb4ca16f53cda99ced967a
WEB https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0
WEB https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-leakage-in-signal-group-allowlist

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes