OpenClaw 0-Day Flaws Hijack Trusted Five Attackers

Five zero-day flaws in OpenClaw allowed attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms.

OpenClaw, which integrates AI agents with services such as Slack, Discord, Microsoft Teams, Matrix, and Telegram, relies heavily on user-defined allowlists to determine who can interact with an agent.

This trust model assumes that only explicitly approved identities can issue commands to agents that may have access to sensitive data, internal APIs, or system-level execution capabilities.

However, Philip Garabandic found that this trust model breaks down due to improper identity resolution during allowlist processing.

Five OpenClaw 0-Days

The vulnerabilities stem from a recurring design flaw in which human-readable identifiers, such as display names, are resolved to stable user IDs during service initialization.

Because display names are mutable across most chat platforms, attackers can impersonate trusted users simply by renaming themselves to match an allowlisted identity.

This issue was initially identified in OpenClaw’s Telegram integration and patched under advisory GHSA-mj5r-hh7j-4gxf.

Despite the fix, the same root cause persisted across five additional channel extensions, specifically Slack, Discord, Matrix, Zalo, and Microsoft Teams.

Each implementation independently reintroduced the same insecure pattern, highlighting a broader issue in distributed development and inconsistent security enforcement.

At the core of the vulnerability is a flawed startup resolution process. While runtime checks typically validate stable user IDs, the initialization logic resolves allowlist entries via directory lookups based on mutable fields such as displayName or username.

If an attacker changes their display name to match an allowlisted user before a service restart, the system may incorrectly bind the attacker’s ID into the trusted allowlist.

Once this occurs, the attacker gains full control over agent interactions while the legitimate user is silently excluded.

The vulnerabilities were identified using a specialized AI-driven static analysis tool called agentgg, which generates custom detectors based on historical advisories.

By analyzing prior OpenClaw vulnerabilities, the tool developed targeted detection logic for recurring anti-patterns, ultimately identifying a flaw replicated across multiple modules.

Each finding has since been acknowledged and addressed by OpenClaw maintainers, with fixes that enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags.

From a security perspective, this class of vulnerability aligns with CWE-639, which describes bypassing authorization through user-controlled identifiers.

The impact is particularly severe in AI agent environments, where compromised access can translate into arbitrary command execution, data exfiltration, or lateral movement within integrated systems.

According to Philip Garabandic, the incident highlights that patching one component does not eliminate the underlying vulnerability class.

Without systemic detection mechanisms, the same flaw can silently propagate across parallel implementations.

By operationalizing past incident data into automated detection workflows, organizations can prevent repeated failures and strengthen trust boundaries in increasingly complex AI-driven architectures.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.