GHSA-2CH6-X3G4-7759: GHSA-2CH6-X3G4-7759: Authorization Bypass in OpenClaw via Identity Confusion

GHSA-2CH6-X3G4-7759: Authorization Bypass in OpenClaw via Identity Confusion Vulnerability ID: GHSA-2CH6-X3G4-7759 CVSS Score: 8.1 Published: 2026-03-03 A critical authorization bypass vulnerability exists in OpenClaw, an open-source personal AI assistant. The flaw resides in the command authorization logic within src/auto-reply/command-auth.ts , specifically in how the application resolves sender identities. Due to insufficient validation of the ctx.From field, the system may treat a conversation container identifier (such as a Group JID or Channel ID) as a valid user identity. If an administrator inadvertently adds a group identifier to the allowFrom configuration, every member of that conversation gains administrative privileges, allowing them to execute privileged commands. This vulnerability affects all versions prior to 2026.3.2. TL;DR OpenClaw versions before 2026.3.2 suffer from an identity confusion vulnerability where group/channel IDs are treated as valid user identities. If