OpenClaw Authorization Bypass Vulnerability in Group Reactions
Vulnerability
A vulnerability allowing authorization bypass in group reactions has been identified in OpenClaw versions prior to 2026.3.25. This issue arises because group reaction events can bypass the requireMention access control, allowing attackers to trigger reactions in mention-gated groups. As a result, agent-visible system events, which should remain restricted, are enqueued.
Impact
Exploitation of this vulnerability allows for authorization bypass, enabling reactions to be added in mention-gated groups without the necessary permissions. This bypass can lead to unauthorized system events being generated and visible to agents.
Reproduction
To reproduce this vulnerability, add a reaction in a mention-gated group using an account that does not have the required permissions. The reaction will be accepted, and an agent-visible system event will be generated, bypassing the mention requirement.
Remediation
Users can update to OpenClaw version 2026.3.25 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.