GHSA-2gvc-4f3c-2855: OpenClaw auth bypass lets DM

Q: Is GHSA-2gvc-4f3c-2855 actively exploited?

No confirmed active exploitation of GHSA-2gvc-4f3c-2855 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-2gvc-4f3c-2855?

1. PATCH: Upgrade to OpenClaw 2026.4.15, which restricts room command authorizers to only commandAllowFrom configured sender IDs, effective room users, and group allowlists. Verify the fix by confirming commit f8705f512b09043df02b5da372c33374734bd921 and 2bfd808a83116bd888e3e2633a61473fa2ed81b6 are present. 2. AUDIT: Review all active Matrix DM pairings in the OpenClaw pairing store; revoke any pairings for users who should not have room-level command access. 3. DETECT: Check OpenClaw room command logs for unexpected room control events from senders not in your room allowlist — any such event on a pre-patch instance is a strong indicator of exploitation. 4. HARDEN: Apply least-privilege principles to command-and-tool policies; ensure OpenClaw's tool policy does not grant privileged capabilities (shell access, credential retrieval, external API calls) unless explicitly required. 5. NO WORKAROUND: There is no configuration workaround for affected versions; patching is the only remediation.

Q: What systems are affected by GHSA-2gvc-4f3c-2855?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Bot orchestration platforms, Matrix-integrated automation pipelines, Multi-channel AI command interfaces.

Q: What is the CVSS score for GHSA-2gvc-4f3c-2855?

No CVSS score has been assigned yet.

CISO Take

OpenClaw, an AI agent framework, contains an authorization boundary flaw (CWE-863) where any Matrix user previously paired via DM can execute room control commands without being on the room allowlist, room membership list, or group allowlist. For teams running OpenClaw with privileged tool policies — code execution, external API calls, or data access — a single DM-paired attacker posting in a bot room gains the same command authority as an explicitly authorized administrator, making this a lateral privilege escalation path inside the AI agent's trust model. While downstream package exposure is limited (4 dependents) and no public exploit exists, the attack requires minimal effort from any already-paired sender and the impact scales with how permissive the deployment's command-and-tool policy is. Upgrade to OpenClaw 2026.4.15 immediately; no workaround exists for earlier versions, and the fix is verified with regression tests covering exactly this bypass path.

Sources: GitHub Advisory ATLAS

What is the risk?

MEDIUM-HIGH. The vulnerability requires a precondition (attacker must already hold a valid Matrix DM pairing with the target OpenClaw instance), which constrains the attacker pool to insiders, former users, or anyone who socially engineered a pairing. However, once that precondition is met, exploitation is straightforward: post to a bot room and issue a control command. Severity scales directly with the deployment's command-and-tool policy — a low-privilege deployment has low blast radius; a deployment granting shell execution or secrets access is critically exposed. No EPSS data exists, no KEV listing, and no public exploit is available, reducing near-term risk, but the 135 other CVEs tracked in the same package signal a pattern of security debt in this project.

How does the attack unfold?

DM Pairing Establishment

Attacker obtains or already holds a valid Matrix DM pairing with the target OpenClaw bot, placing their sender ID in the pairing store (legitimately or via social engineering).

AML.T0012

Authorization Bypass

Attacker posts a room control command in a Matrix room where the bot is active; the vulnerable authorizer includes DM pairing-store entries in the effective allowlist and approves the command.

AML.T0049

Privileged Command Execution

OpenClaw executes the room control command with full room-operator authority, invoking whatever tools and capabilities the deployment's command-and-tool policy permits.

AML.T0053

Impact

Attacker drives privileged agent behavior — data exfiltration, external API calls, script execution, or further lateral movement — with no indication in room membership that they hold this access.

DM Pairing Establishment

Attacker obtains or already holds a valid Matrix DM pairing with the target OpenClaw bot, placing their sender ID in the pairing store (legitimately or via social engineering).

AML.T0012

Authorization Bypass

Attacker posts a room control command in a Matrix room where the bot is active; the vulnerable authorizer includes DM pairing-store entries in the effective allowlist and approves the command.

AML.T0049

Privileged Command Execution

OpenClaw executes the room control command with full room-operator authority, invoking whatever tools and capabilities the deployment's command-and-tool policy permits.

AML.T0053

Impact

Attacker drives privileged agent behavior — data exfiltration, external API calls, script execution, or further lateral movement — with no indication in room membership that they hold this access.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	> 2026.3.28, < 2026.4.15	`2026.4.15`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

PATCH

Upgrade to OpenClaw 2026.4.15, which restricts room command authorizers to only commandAllowFrom configured sender IDs, effective room users, and group allowlists. Verify the fix by confirming commit f8705f512b09043df02b5da372c33374734bd921 and 2bfd808a83116bd888e3e2633a61473fa2ed81b6 are present.
AUDIT

Review all active Matrix DM pairings in the OpenClaw pairing store; revoke any pairings for users who should not have room-level command access.
DETECT

Check OpenClaw room command logs for unexpected room control events from senders not in your room allowlist — any such event on a pre-patch instance is a strong indicator of exploitation.
HARDEN

Apply least-privilege principles to command-and-tool policies; ensure OpenClaw's tool policy does not grant privileged capabilities (shell access, credential retrieval, external API calls) unless explicitly required.
NO WORKAROUND

There is no configuration workaround for affected versions; patching is the only remediation.

How is it classified?

Auth Bypass Code Execution Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - Access Control for AI Systems

NIST AI RMF

MANAGE 2.2 - Residual risks are managed and monitored

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-2gvc-4f3c-2855?

OpenClaw, an AI agent framework, contains an authorization boundary flaw (CWE-863) where any Matrix user previously paired via DM can execute room control commands without being on the room allowlist, room membership list, or group allowlist. For teams running OpenClaw with privileged tool policies — code execution, external API calls, or data access — a single DM-paired attacker posting in a bot room gains the same command authority as an explicitly authorized administrator, making this a lateral privilege escalation path inside the AI agent's trust model. While downstream package exposure is limited (4 dependents) and no public exploit exists, the attack requires minimal effort from any already-paired sender and the impact scales with how permissive the deployment's command-and-tool policy is. Upgrade to OpenClaw 2026.4.15 immediately; no workaround exists for earlier versions, and the fix is verified with regression tests covering exactly this bypass path.

Is GHSA-2gvc-4f3c-2855 actively exploited?

No confirmed active exploitation of GHSA-2gvc-4f3c-2855 has been reported, but organizations should still patch proactively.

How to fix GHSA-2gvc-4f3c-2855?

1. PATCH: Upgrade to OpenClaw 2026.4.15, which restricts room command authorizers to only commandAllowFrom configured sender IDs, effective room users, and group allowlists. Verify the fix by confirming commit f8705f512b09043df02b5da372c33374734bd921 and 2bfd808a83116bd888e3e2633a61473fa2ed81b6 are present. 2. AUDIT: Review all active Matrix DM pairings in the OpenClaw pairing store; revoke any pairings for users who should not have room-level command access. 3. DETECT: Check OpenClaw room command logs for unexpected room control events from senders not in your room allowlist — any such event on a pre-patch instance is a strong indicator of exploitation. 4. HARDEN: Apply least-privilege principles to command-and-tool policies; ensure OpenClaw's tool policy does not grant privileged capabilities (shell access, credential retrieval, external API calls) unless explicitly required. 5. NO WORKAROUND: There is no configuration workaround for affected versions; patching is the only remediation.

What systems are affected by GHSA-2gvc-4f3c-2855?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Bot orchestration platforms, Matrix-integrated automation pipelines, Multi-channel AI command interfaces.

What is the CVSS score for GHSA-2gvc-4f3c-2855?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksBot orchestration platformsMatrix-integrated automation pipelinesMulti-channel AI command interfaces

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

## Summary Matrix room control-command authorization used the effective allowlist for room traffic, which included sender IDs learned from the Matrix DM pairing store. A sender who was allowed only for a Matrix DM could therefore authorize room control commands when they also posted in a bot room. ## Impact This bypass let a DM-paired Matrix sender cross the DM/room authorization boundary and run Matrix room control commands without being present in the configured room allowlist, room membership list, or group allowlist. The issue required a sender already present in the pairing store and able to send to the target Matrix room. Severity remains high because room control commands can drive privileged OpenClaw behavior depending on the deployment's command and tool policy. ## Affected versions - Affected: `> 2026.3.28, < 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` fixes the authorization boundary. Room control-command authorizers now use only configured sender IDs, effective room users, and group allowlists; DM pairing-store entries no longer authorize room commands. A follow-up change also skips DM pairing-store reads on room traffic. Verified in `v2026.4.15`: - `extensions/matrix/src/matrix/monitor/access-state.ts` builds room command authorizers from `commandAllowFrom`, which excludes pairing-store sender IDs for room traffic. - `extensions/matrix/src/matrix/monitor/handler.ts` gates room control commands through those authorizers. - `extensions/matrix/src/matrix/monitor/access-state.test.ts` covers a DM pairing-store sender and verifies it cannot authorize room control commands. Fix commits included in `v2026.4.15` and absent from `v2026.4.14`: - `f8705f512b09043df02b5da372c33374734bd921` via PR #67294 - `2bfd808a83116bd888e3e2633a61473fa2ed81b6` via PR #67325 Thanks to @nexrin and Keen Security Lab for reporting this issue.

Exploitation Scenario

An attacker who previously paired with an OpenClaw bot via a legitimate Matrix DM (e.g., during onboarding, a forgotten integration, or social engineering the bot owner into a pairing) remains in the DM pairing store indefinitely. On a vulnerable instance, the attacker joins or already has access to a Matrix room where the OpenClaw bot is active. They post a room control command — for example, triggering a tool that reads internal data, executes a script, or calls an external API — directly to the room. The vulnerable authorization check consults the effective allowlist, which erroneously includes DM pairing-store entries, approves the sender, and executes the privileged command. The attacker achieves agentic command execution equivalent to an authorized room administrator, potentially exfiltrating data, modifying agent behavior, or pivoting to connected systems, with no indication in the room membership list that they hold this access.

Weaknesses (CWE)

CWE-863 Incorrect Authorization Primary

CWE-863 — Incorrect Authorization: The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.