Vulnerability Description
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by exploiting the misconfigured allowlist validation logic to bypass intended sender authorization checks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.22 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/2ba6de7eaad812e5e8603018e14e54e96bddPatch
- https://github.com/openclaw/openclaw/commit/4540790cb62412676f7b61cfc6e47443f84aPatch
- https://github.com/openclaw/openclaw/commit/51c0893673de8e5cea64e64351dbfa4680baPatch
- https://github.com/openclaw/openclaw/commit/9632b9bcf032c5f2280c3103961fde912ab1Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2mVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-bluebubbles-access-control-bypass-Third Party Advisory
FAQ
What is CVE-2026-22170?
CVE-2026-22170 is a vulnerability with a CVSS score of 6.5 (MEDIUM). OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restr...
How severe is CVE-2026-22170?
CVE-2026-22170 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22170?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.