VDB
KO
MEDIUM

GHSA-mw7w-g3mg-xqm7

OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events

Details

## Summary

BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events

## Affected Packages / Versions

- Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24`

## Details

BlueBubbles group reaction events previously bypassed `requireMention` and still enqueued agent-visible system events in groups that were supposed to stay mention-gated. Commit `f8c98630785288cc1f1d0893503ef3b653a3cede` applies the reaction path to the same mention gate as normal group messages.

Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `f8c98630785288cc1f1d0893503ef3b653a3cede`.

## Fix Commit(s)

- `f8c98630785288cc1f1d0893503ef3b653a3cede`

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openclaw
Introduced in: 0

No fixed version published yet for openclaw (npm). Pin to a known-safe version or switch to an alternative.

References