CVE-2026-62196

OpenClaw · OpenClaw

OpenClaw is vulnerable to an authorization bypass flaw involving WhatsApp group IDs, which may allow authenticated users to perform unauthorized actions.

Executive summary

An authorization flaw in OpenClaw versions 2026.3.22 to 2026.6.5 permits authenticated users to bypass security controls by manipulating group identifiers.

Vulnerability

This vulnerability is identified as Incorrect Authorization (CWE-863). It occurs when the application fails to properly validate the user's authorization level relative to WhatsApp group IDs, allowing authenticated users to interact with groups they should not have access to.

Business impact

This vulnerability enables unauthorized access to group-specific data or functions, potentially leading to unauthorized information disclosure or administrative actions within the application. The CVSS score of 8.3 reflects the significant impact on confidentiality and integrity, which could result in a serious violation of organizational access control policies.

Remediation

Immediate Action: Update OpenClaw to version 2026.6.6 or later, which contains the fix for the authorization validation logic.

Proactive Monitoring: Audit logs for unauthorized access attempts to group-specific data and monitor for unusual activity related to group identifier manipulation.

Compensating Controls: Restrict access to the application to only authorized personnel and implement granular access controls at the application layer to enforce the principle of least privilege.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Due to the high-severity nature of this authorization bypass, organizations must treat this update with high priority. Apply the provided patch (version 2026.6.6) immediately to ensure that authorization checks are correctly enforced and to secure sensitive application data.