Critical OpenClaw Vulnerabilities Expose AI Agents to Unauthorized Control
OpenClaw, a rapidly growing open-source AI agent framework, has been found to contain five critical zero-day vulnerabilities that allow attackers to bypass trust boundaries and gain unauthorized control over AI agents across various messaging platforms. These flaws, identified by security researcher Philip Garabandic, exploit weaknesses in OpenClaw’s identity resolution process, enabling malicious actors to impersonate trusted users and issue commands to AI agents with potentially sensitive access.
Understanding OpenClaw’s Trust Model
OpenClaw integrates AI agents with services such as Slack, Discord, Microsoft Teams, Matrix, and Telegram. It relies on user-defined allowlists to determine who can interact with an agent. This trust model assumes that only explicitly approved identities can issue commands to agents that may have access to sensitive data, internal APIs, or system-level execution capabilities.
The Root of the Vulnerabilities
The identified vulnerabilities stem from a recurring design flaw in which human-readable identifiers, such as display names, are resolved to stable user IDs during service initialization. Since display names are mutable across most chat platforms, attackers can impersonate trusted users simply by renaming themselves to match an allowlisted identity.
This issue was initially identified in OpenClaw’s Telegram integration and patched under advisory GHSA-mj5r-hh7j-4gxf. However, the same root cause persisted across five additional channel extensions: Slack, Discord, Matrix, Zalo, and Microsoft Teams. Each implementation independently reintroduced the same insecure pattern, highlighting a broader issue in distributed development and inconsistent security enforcement.
Exploitation Mechanism
At the core of the vulnerability is a flawed startup resolution process. While runtime checks typically validate stable user IDs, the initialization logic resolves allowlist entries via directory lookups based on mutable fields such as displayName or username.
If an attacker changes their display name to match an allowlisted user before a service restart, the system may incorrectly bind the attacker’s ID into the trusted allowlist. Once this occurs, the attacker gains full control over agent interactions while the legitimate user is silently excluded.
Detection and Mitigation
The vulnerabilities were identified using a specialized AI-driven static analysis tool called agentgg, which generates custom detectors based on historical advisories. By analyzing prior OpenClaw vulnerabilities, the tool developed targeted detection logic for recurring anti-patterns, ultimately identifying a flaw replicated across multiple modules.
Each finding has since been acknowledged and addressed by OpenClaw maintainers, with fixes that enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags.
Broader Implications
From a security perspective, this class of vulnerability aligns with CWE-639, which describes bypassing authorization through user-controlled identifiers. The impact is particularly severe in AI agent environments, where compromised access can translate into arbitrary command execution, data exfiltration, or lateral movement within integrated systems.
According to Philip Garabandic, the incident highlights that patching one component does not eliminate the underlying vulnerability class. Without systemic detection mechanisms, the same flaw can reappear across different modules, emphasizing the need for comprehensive security reviews and consistent enforcement of secure coding practices.
Recommendations for Users
Users of OpenClaw are strongly advised to:
– Update Immediately: Ensure that all OpenClaw instances are updated to the latest versions where these vulnerabilities have been patched.
– Review Allowlist Configurations: Verify that allowlists are based on stable, immutable user identifiers rather than mutable display names.
– Implement Monitoring: Deploy monitoring tools to detect unauthorized changes to user identities and unexpected agent behaviors.
– Conduct Regular Security Audits: Regularly audit AI agent integrations and configurations to identify and mitigate potential security risks.
By taking these steps, organizations can enhance the security of their AI agent deployments and protect against unauthorized access and potential data breaches.
