Vulnerability Description
OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.25 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446Vendor Advisory
- https://www.vulncheck.com/advisories/openclaw-unauthorized-reaction-status-eventThird Party Advisory
FAQ
What is CVE-2026-32050?
CVE-2026-32050 is a vulnerability with a CVSS score of 3.7 (LOW). OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization che...
How severe is CVE-2026-32050?
CVE-2026-32050 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32050?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.