Overview
The CVE-2026-22170 vulnerability describes an access control bypass in OpenClaw versions prior to 2026.2.22 when the optional BlueBubbles plugin is installed. The issue arises when an empty allowFrom configuration causes dmPolicy pairing and allowlist validation to be ineffective, enabling remote attackers to send direct messages to BlueBubbles accounts without proper sender authorization checks. This is a Broken Object Level Authorization (BOLOA) scenario (CWE-863) where the attacker can access or act on objects (in this case, DMs) that should be protected by per-user authorization. In real-world deployments that combine Go services (Gin) with such plugins, a misconfigured policy often leads to default-allow behavior whenever the policy store is empty, creating a direct channel for abuse and privacy violations. The impact is tangible: attackers can impersonate legitimate users in DMs, potentially exfiltrating information or harassing recipients, while defenders lose confidence in the object-level access model.
In practice, the exploitation path hinges on authorization logic that short-circuits or bypasses explicit sender validation when the allowlist is empty. Attackers do not need to compromise accounts; instead, they exploit the policy loading and validation path to treat an empty allowFrom as a universal permit. This pattern is particularly dangerous in Go services using Gin, where a handler might conditionally allow access if a policy map is nil or has zero length, effectively turning a protective policy into a leak. The CVE exemplifies how attackers can abuse object-level access controls that rely on configuration state rather than mandatory checks, underscoring the need for strict defaults and robust per-object authorization.
To remediate, developers must ensure that an empty or missing allowFrom policy cannot grant access implicitly. Go (Gin) services should enforce non-empty, explicit allowlists and perform per-sender, per-object checks rather than global or all-or-nothing shortcuts. Implement authentication to identify the requester, load a validated policy at startup, and reject requests when the policy is misconfigured. Add tests that simulate empty allowlists, verify that no bypass occurs, and monitor for policy-load failures to prevent silent escalations. The provided code example demonstrates both the vulnerable pattern and a secure fix in a single Go (Gin) module.
Affected Versions
OpenClaw < 2026.2.22 with BlueBubbles plugin (CVE-2026-22170)
Code Fix Example
Go (Gin) API Security Remediation
package main
import (
"net/http"
"github.com/gin-gonic/gin"
)
type Policy struct {
AllowFrom map[string]bool
}
// loadPolicy simulates configuration loading; in real life, fetch from file/DB/env
func loadPolicy() Policy {
return Policy{AllowFrom: map[string]bool{"alice": true, "carol": true}}
}
// Vulnerable: empty allowFrom enables universal access
func vulnerableSendDM(c *gin.Context) {
sender := c.GetHeader("X-Sender")
policy := loadPolicy()
if len(policy.AllowFrom) == 0 || policy.AllowFrom[sender] {
c.JSON(http.StatusOK, gin.H{"status": "dm_sent_vulnerable"})
return
}
c.JSON(http.StatusForbidden, gin.H{"error": "unauthorized"})
}
// Fixed: require non-empty allowFrom and explicit membership check
func fixedSendDM(c *gin.Context) {
sender := c.GetHeader("X-Sender")
policy := loadPolicy()
if policy.AllowFrom == nil || len(policy.AllowFrom) == 0 {
c.JSON(http.StatusInternalServerError, gin.H{"error": "authorization policy not configured"})
return
}
if policy.AllowFrom[sender] {
c.JSON(http.StatusOK, gin.H{"status": "dm_sent_secure"})
return
}
c.JSON(http.StatusForbidden, gin.H{"error": "unauthorized"})
}
func main() {
r := gin.Default()
r.POST("/dm_vulnerable", vulnerableSendDM)
r.POST("/dm_fixed", fixedSendDM)
r.Run(":8080")
}