Incorrect authorization in OpenClaw - CVE-2026-22170
Published: May 1, 2026
Vulnerability identifier: #VU128825
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-22170
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to incorrect authorization in isAllowedParsedChatSender() and BlueBubbles DM/reaction authorization logic when processing direct messages or reactions with dmPolicy set to pairing or allowlist and allowFrom empty or unset. A remote attacker can send messages or reactions from an untrusted sender to bypass authorization checks.
This issue affects the optional BlueBubbles channel plugin rather than core messaging surfaces.
How to mitigate CVE-2026-22170
Install security update from vendor's website.