OpenClaw Authorization Bypass Vulnerability in Direct Message Pairing Policy
Vulnerability
A cross-account authorization bypass vulnerability has been identified in OpenClaw versions prior to 2026.2.26. This vulnerability exists in the pairing-store access control for direct message pairing policy, allowing attackers to reuse pairing approvals across multiple accounts. In multi-account deployments, an attacker approved as a sender in one account can be automatically accepted in another account without explicit approval, bypassing authorization boundaries.
Impact
Exploitation of this vulnerability creates an authorization boundary weakness in multi-account channel deployments, allowing for cross-account pairing approvals.
Reproduction
To reproduce this vulnerability, pair a sender in one account and then attempt to send a direct message to another account in a multi-account deployment. The message will be accepted without explicit approval, demonstrating the authorization bypass.
Remediation
Users can update to OpenClaw version 2026.2.26 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.