Five zero-day vulnerabilities have been identified in OpenClaw, allowing attackers to breach trust boundaries and take control of AI agents across various messaging services.
OpenClaw integrates AI agents into platforms like Slack, Discord, Microsoft Teams, Matrix, and Telegram. It uses user-defined allowlists to regulate who can interact with these agents. However, this trust model relies on the assumption that only those specifically approved can issue commands, potentially accessing sensitive data or systems.
Underlying Vulnerabilities
Philip Garabandic discovered that the trust model fails due to improper identity resolution during the allowlist processing. Human-readable identifiers like display names are converted to stable user IDs during service initialization. Since display names can be changed on many platforms, attackers can impersonate trusted users by altering their names to match those on the allowlist.
This issue was first seen in OpenClaw’s Telegram integration and patched following advisory GHSA-mj5r-hh7j-4gxf. Despite this, the root cause persisted in five other extensions, namely Slack, Discord, Matrix, Zalo, and Microsoft Teams, due to similar insecure implementations.
Security Implications
The fundamental vulnerability lies in the flawed startup resolution process. While runtime checks validate stable user IDs, initialization logic uses mutable fields like display names to resolve allowlist entries. If attackers change their display names to match allowlisted users before a service restart, they may gain unauthorized access.
Once successful, attackers can fully control agent interactions, leaving legitimate users excluded. The vulnerabilities were found using agentgg, an AI-driven static analysis tool that generates custom detectors based on historical advisories.
Addressing the Flaws
OpenClaw maintainers have acknowledged and addressed the vulnerabilities, implementing fixes that enforce strict ID-based matching. They also added configuration flags to control name-based resolution.
These vulnerabilities are classified under CWE-639, involving authorization bypass using user-controlled identifiers. The impact is severe in AI environments, where unauthorized access can lead to command execution, data theft, or system infiltration.
Garabandic emphasizes the need for systemic detection mechanisms to prevent such vulnerabilities from spreading across implementations. By leveraging historical data for automated detection, organizations can enhance security and maintain trust in AI-driven infrastructures.
For further insights, attend the upcoming webinar on OWASP API Top 10 and learn strategies to close visibility gaps with WAAP.
