Incorrect authorization in OpenClaw - CVE-2026-22170
Published: May 1, 2026
Vulnerability identifier: #VU128825
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-22170
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to incorrect authorization in isAllowedParsedChatSender() and BlueBubbles DM/reaction authorization logic when processing direct messages or reactions with dmPolicy set to pairing or allowlist and allowFrom empty or unset. A remote attacker can send messages or reactions from an untrusted sender to bypass authorization checks.
This issue affects the optional BlueBubbles channel plugin rather than core messaging surfaces.
Remediation
Install security update from vendor's website.