WhatsApp groupAllowFrom doesn't filter senders in 2026.2.22 #24670
Description
Bug Description
groupAllowFrom in WhatsApp channel config doesn't filter group message senders as documented. With groupPolicy: "allowlist" and groupAllowFrom: ["+1234567890"], all group members can trigger the bot, not just the allowlisted number.
Expected Behavior
Per docs:
groupPolicy: "allowlist"should require sender to matchgroupAllowFrom- Only allowlisted senders should trigger bot responses in groups
Actual Behavior
- With
groupPolicy: "open"+groupAllowFrom: Anyone can trigger (sender filter bypassed) - With
groupPolicy: "allowlist"+groupAllowFrom: Everyone is blocked, including allowlisted senders
Reproduction
{
"channels": {
"whatsapp": {
"groupPolicy": "allowlist",
"groupAllowFrom": ["+971506221055"],
"allowFrom": ["+971506221055"]
}
}
}- Add bot to a WhatsApp group
- Have the allowlisted number send "Roxy: test"
- Bot does NOT respond
- Change to
groupPolicy: "open" - Now ANY group member can trigger the bot (groupAllowFrom ignored)
Environment
- Version affected: 2026.2.22, 2026.2.22-1, 2026.2.22-2
- Version working: 2026.2.14 (with same config, groups work correctly)
- Platform: macOS, WhatsApp Web (Baileys)
Root Cause Hypothesis
The changelog mentions:
Channels/Group policy: fail closed when
groupPolicy: "allowlist"is set without explicitgroups
This security change may be too aggressive, blocking even when groupAllowFrom is properly set.
Use Case
Family/trusted groups where only the bot owner should be able to trigger responses. This is a legitimate privacy/cost concern (don't want random group members burning API tokens).
Workaround
Downgrade to 2026.2.14 — not ideal due to missing security patches.
Suggested Fix
- When
groupPolicy: "allowlist"+groupAllowFromis set, allow group messages from those senders - Only "fail closed" when BOTH
groupsandgroupAllowFromare missing