Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior.
AnalysisAI
Authorization bypass in OpenClaw Matrix bot integration allows DM-paired attackers to execute privileged room control commands without configured permissions. Attackers who have previously established direct message pairing can exploit misaligned allowlist logic to run room control commands in bot rooms, bypassing room membership and allowlist requirements. Fixed in version 2026.4.15 after responsible disclosure by Keen Security Lab. No evidence of active exploitation; publicly available vendor advisory and fix commits reduce exploitation probability.
Technical ContextAI
OpenClaw is a Matrix protocol bot framework that maintains separate authorization contexts for direct messages (DMs) and room-based interactions. The vulnerability (CWE-863: Incorrect Authorization) stemmed from the room control-command authorization logic incorrectly consulting the DM pairing store when validating sender permissions for room commands. The pairing store tracks sender IDs authorized for one-on-one DM interactions, which should never grant authority over multi-user room control commands. The flawed implementation in access-state.ts merged DM pairing-store entries into the effective allowlist for room traffic, creating an authorization boundary confusion. Room control commands in Matrix bots typically drive privileged operations like configuration changes, data retrieval, or workflow triggers-making this bypass a path to unintended privilege escalation within the bot's operational scope.
RemediationAI
Upgrade to OpenClaw version 2026.4.15 or later, which contains authorization boundary fixes in commits f8705f512b09043df02b5da372c33374734bd921 (PR #67294) and 2bfd808a83116bd888e3e2633a61473fa2ed81b6 (PR #67325). The patch restructures room control-command authorization to exclude DM pairing-store entries from the room allowlist, enforcing strict separation between DM and room authorization contexts. Update instructions and release details are available at https://github.com/openclaw/openclaw/security/advisories/GHSA-2gvc-4f3c-2855. If immediate patching is not feasible, implement compensating controls: disable Matrix room control commands entirely via bot configuration, restrict bot room membership to only trusted administrator accounts, or implement out-of-band verification for room control command senders (noting this adds operational overhead and user friction). Audit existing DM pairing-store entries and remove any sender IDs that should not have room command access, though this provides only partial mitigation since the authorization logic flaw remains. Review bot command and tool policies to ensure room control commands do not expose overly privileged operations that could be abused. The side effect of disabling room control commands is loss of Matrix-based bot management functionality, requiring alternative administrative interfaces.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28186
GHSA-2gvc-4f3c-2855