GHSA-r849-826x-wgqm

Suggest an improvement
Source
https://github.com/advisories/GHSA-r849-826x-wgqm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r849-826x-wgqm/GHSA-r849-826x-wgqm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r849-826x-wgqm
Withdrawn
2026-03-20T13:40:02Z
Published
2026-03-19T03:30:57Z
Modified
2026-03-20T13:47:43.075691Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-wm8r-w8pf-2v6w. This link is maintained to preserve external references.

Original Description

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T13:40:02Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "LOW",
    "nvd_published_at": "2026-03-19T02:16:03Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-r849-826x-wgqm/GHSA-r849-826x-wgqm.json"
last_known_affected_version_range 
"< 2026.2.26"