CVE-2026-31991
Last modified
CVE-2026-31991 is a low-severity vulnerability rated 2/10 on the CVSS scale. OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.. EPSS estimates a 0.15% chance of exploitation in the next 30 days.
Description
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.26 |
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6wMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-31991?
How severe is CVE-2026-31991?
How do I fix CVE-2026-31991?
Are you affected by CVE-2026-31991?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST