Listen to this Post
In affected versions of OpenClaw, a flaw existed in how the Matrix Direct Message (DM) allowlist was processed. The `channels.matrix.dm.allowFrom` configuration setting uses exact matching to grant access. However, the system generated multiple candidates from a sender’s profile to match against this list, including the user’s display name and the bare localpart of their Matrix ID (the part before the colon). Both of these fields can be controlled or spoofed by a remote attacker. If an administrator configured the allowlist using simple names (e.g., “Alice” or “alice”) instead of full Matrix IDs (e.g., @alice:trusted.server), an attacker could impersonate an approved user. For instance, an attacker with the MXID `@alice:evil.example` would be matched by the bare localpart “alice” and granted access. This allows a malicious actor to bypass the allowlist, enabling them to send DMs to the bot and potentially interact with the agent’s downstream routing and capabilities, depending on other policies.
Platform: OpenClaw (NPM)
Version: 2026.1.14-1 – 2026.2.1
Vulnerability: Matrix allowlist bypass
Severity: Medium
date: 17 Feb 2026
Prediction: Patch already available
What Undercode Say:
This vulnerability highlights the danger of ambiguous identity matching in federated systems. The following commands and concepts are relevant for analysis and verification.
Checking for Vulnerable Configurations
Grep the OpenClaw configuration file (typically config.yaml) for the presence of display names or bare localparts in the Matrix DM allowlist.
grep -A 5 'channels.matrix.dm.allowFrom' /path/to/openclaw/config.yaml | grep -E '(" |"@?[a-zA-Z0-9]+")' | grep -v ':@'
Example of a Vulnerable Config Snippet
channels: matrix: dm: allowFrom: - "alice" Vulnerable: Bare localpart - "Bob Admin" Vulnerable: Display name - "@carol:secure.org" Secure: Full MXID
Example of a Secure Config Snippet
channels: matrix: dm: allowFrom: - "@alice:trusted.org" - "@bob:trusted.org"
How Exploit:
An attacker hosting a malicious Matrix homeserver can create an account with a localpart that matches a bare localpart entry on a target’s allowlist (e.g., @alice:evil.com). By sending a Direct Message to the OpenClaw bot, the vulnerable Matrix plugin checks the sender against the list. It generates the candidate “alice” from the attacker’s MXID, finds an exact match in the `allowFrom` list, and grants the attacker access as if they were the trusted user.
Protection from this CVE:
- Immediate Upgrade: Update the OpenClaw NPM package to version `2026.2.2` or later.
npm update openclaw@latest
- Configuration Remediation: Immediately review and modify the Matrix channel configuration. Replace any display names or bare localparts (e.g., “alice”, “admin”, “botuser”) with full, qualified Matrix User IDs (MXIDs) in the format
@localpart:homeserver.tld. Using a wildcard (“) is safer than ambiguous names but should be used with extreme caution. - Verify the Fix: Check the changelog to confirm the presence of commit
8f3bfbd1c4f.
Impact:
Successful exploitation allows a remote, unauthenticated attacker to bypass the Matrix DM allowlist. This can lead to unauthorized interaction with the OpenClaw agent, potentially allowing the attacker to execute commands, access internal tools, or interact with downstream systems that the agent can reach, depending on the specific permissions and skills enabled for Matrix channels.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

