Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-m43c-ejcy-hqhk
Vulnerability ID VCID-m43c-ejcy-hqhk
Aliases GHSA-mw7w-g3mg-xqm7
Summary OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events ## Summary BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details BlueBubbles group reaction events previously bypassed `requireMention` and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit `f8c98630785288cc1f1d0893503ef3b653a3cede` applies the reaction path to the same mention gate as normal group messages. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f8c98630785288cc1f1d0893503ef3b653a3cede`. ## Fix Commit(s) - `f8c98630785288cc1f1d0893503ef3b653a3cede`
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-288 Authentication Bypass Using an Alternate Path or Channel
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-mw7w-g3mg-xqm7
cvssv4 5.3 https://github.com/openclaw/openclaw
generic_textual MODERATE https://github.com/openclaw/openclaw
cvssv4 5.3 https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede
generic_textual MODERATE https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede
cvssv3.1_qr MODERATE https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7
cvssv4 5.3 https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7
generic_textual MODERATE https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7
Reference id Reference type URL
https://github.com/openclaw/openclaw
https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede
https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7
GHSA-mw7w-g3mg-xqm7 https://github.com/advisories/GHSA-mw7w-g3mg-xqm7
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-05-31T10:55:00.769754+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mw7w-g3mg-xqm7/GHSA-mw7w-g3mg-xqm7.json 38.6.0