DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-792Q-QW95-F446: GHSA-792Q-QW95-F446: Authorization Bypass in OpenClaw Signal Reaction Handling

#security #cve #cybersecurity #ghsa

GHSA-792Q-QW95-F446: Authorization Bypass in OpenClaw Signal Reaction Handling

Vulnerability ID: GHSA-792Q-QW95-F446
CVSS Score: 6.5
Published: 2026-03-03

An authorization bypass vulnerability exists in the OpenClaw Signal integration where reaction events (emojis) are processed before access control policies are enforced. This flaw allows unauthenticated or unauthorized Signal users to inject system events into the OpenClaw agent's event queue by sending reactions, bypassing the configured 'dmPolicy', 'allowFrom' lists, and 'groupPolicy'. The vulnerability is rooted in an early-return logic flow within the event handler that processes reactions prior to validating the sender's identity against the security policy.

TL;DR

OpenClaw versions prior to 2026.2.25 fail to enforce access controls on Signal reaction events. Unauthorized attackers can inject system events by reacting to messages, bypassing allowlists and pairing requirements.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-285
  • Attack Vector: Network (Signal Protocol)
  • CVSS (Est.): 6.5 (Medium)
  • Impact: Authorization Bypass / Event Injection
  • Exploit Status: Proof of Concept
  • Patch Status: Fixed in 2026.2.25

Affected Systems

  • OpenClaw (Signal Integration) versions < 2026.2.25
  • OpenClaw: < 2026.2.25 (Fixed in: 2026.2.25)

Code Analysis

Commit: 2aa7842

Refactor signal event handler to resolve access decisions before processing reactions

Mitigation Strategies

  • Upgrade OpenClaw to version 2026.2.25 or later immediately.
  • Restrict Signal exposure: If possible, ensure the Signal number is not public, reducing the attack surface for unsolicited messages.
  • Audit logs for unexpected 'Signal reaction added' events from unknown source numbers prior to the patch date.

Remediation Steps:

  1. Stop the running OpenClaw instance.
  2. Update the npm dependency: npm install openclaw@2026.2.25 or yarn upgrade openclaw.
  3. Verify the installed version ensures openclaw >= 2026.2.25.
  4. Restart the OpenClaw service.
  5. Review the application logs for any errors regarding resolveDmGroupAccessDecision to ensure the new security policy logic is functioning correctly.

References

Read the full report for GHSA-792Q-QW95-F446 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)