OpenClaw iMessage Group Authorization Vulnerability Allowing Cross-Context Command Authorization
Vulnerability
A vulnerability in OpenClaw's iMessage group authorization process prior to version 2026.2.14 allows sender identities from the direct message (DM) pairing store to be recognized in group contexts. This issue arises under the iMessage group policy 'allowlist', where group authorization could be improperly satisfied by DM pairing-store identities. As a result, commands authorized in DM could be executed in group chats, undermining the intended separation of authorization contexts.
Impact
Exploitation of this vulnerability could lead to unauthorized command execution in group chats, based on approvals from direct message interactions.
Reproduction
To reproduce this vulnerability, set the iMessage group policy to 'allowlist' and ensure that the DM pairing-store contains sender identities. When a message is received in a group chat from a sender approved via DM pairing, the group authorization will incorrectly allow cross-context command execution.
Remediation
Users can upgrade to OpenClaw version 2026.2.14 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.