Five critical zero-day vulnerabilities in OpenClaw, a popular AI agent integration framework, allowed attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms including Slack, Discord, Microsoft Teams, Matrix, and Zalo. The findings reveal a systemic design flaw that persisted across multiple independently developed modules despite an earlier patch.
How OpenClaw Works — and Where It Went Wrong
OpenClaw integrates AI agents with collaboration platforms, relying heavily on user-defined allowlists to control which identities can issue commands to the agent. These agents may have access to sensitive internal data, APIs, or system-level execution capabilities, making the trust model critical to security.
Researcher Philip Garabandic discovered that this trust model breaks down due to improper identity resolution during allowlist processing. The root cause: the framework resolves human-readable identifiers — such as display names — to stable user IDs during service initialization. Because display names are mutable across most chat platforms, this creates an exploitable window.
The Attack Technique
An attacker can exploit the vulnerability by changing their display name to match an allowlisted user before a service restart. During initialization, the system incorrectly binds the attacker's ID into the trusted allowlist. Once this occurs:
- The attacker gains full control over agent interactions.
- The legitimate user is silently excluded from issuing commands.
- Any action the AI agent can perform — code execution, API calls, data retrieval — becomes available to the adversary.
This class of vulnerability aligns with CWE-639 (Authorization Bypass Through User-Controlled Key), a well-documented weakness in systems that rely on mutable identifiers for access decisions.
A Recurring Flaw Across Five Platforms
The same root cause was independently introduced across five separate channel extensions: Slack, Discord, Matrix, Zalo, and Microsoft Teams. An initial variant had been discovered in OpenClaw's Telegram integration and patched under advisory GHSA-mj5r-hh7j-4gxf. Despite that fix, the same insecure pattern was replicated by different developers across the remaining integrations — a failure of systemic security enforcement rather than isolated coding error.
The vulnerabilities were identified using agentgg, a specialized AI-driven static analysis tool that generates custom detectors based on historical advisories. By analyzing prior OpenClaw vulnerabilities, the tool developed targeted detection logic for recurring anti-patterns and identified the flaw across multiple modules.
Impact in AI-Native Environments
The severity of these findings is amplified in modern AI-driven enterprise architectures. As AI agents gain greater autonomy — executing commands, triggering workflows, and accessing sensitive systems — compromise of the trust model can translate into:
- Arbitrary command execution within integrated platforms.
- Mass data exfiltration from connected services.
- Lateral movement into internal APIs and systems.
- Persistent access via AI agents with standing permissions.
Mitigation and Vendor Response
Each finding has been acknowledged and addressed by OpenClaw maintainers. The patches enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags. Organizations using OpenClaw should immediately update to the patched versions for all affected channel extensions.
Beyond this specific vulnerability, the incident carries a broader lesson: patching one component does not eliminate a vulnerability class. Without systemic detection mechanisms and cross-module security reviews, the same flaw can silently propagate across parallel implementations. Organizations deploying AI agent frameworks should audit all integrations for consistent enforcement of identity trust mechanisms — not just the components that have already been patched.
Source: Cybersecurity News / Philip Garabandic via Infosec Writeups