CVE-2026-32005

MEDIUM openclaw NVD

CVSS Score 6.8

Severity MEDIUM

Published Mar 19, 2026

Vendor openclaw

Description

OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including block_action, view_submission, and view_closed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue system-event text into active sessions.

References

https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715
https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr
https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-interactive-callbacks-via-sender-check-skip