Five Zero-Day Vulnerabilities in OpenClaw Allow Hijacking of Trusted AI Agent Access
Five zero-day vulnerabilities in OpenClaw enabled attackers to bypass trust boundaries and hijack AI agent access across platforms like Slack, Discord, and Microsoft Teams.
Five critical zero-day vulnerabilities discovered in the OpenClaw AI agent integration platform have exposed a significant flaw in its trust model, allowing attackers to bypass security boundaries and gain unauthorized control over AI agents. These vulnerabilities, identified by researcher Philip Garabandic, stem from an improper identity resolution mechanism that attackers can exploit by renaming themselves to match allowlisted display names.
OpenClaw facilitates the integration of AI agents with popular messaging and collaboration services, including Slack, Discord, Microsoft Teams, Matrix, and Telegram. Its security architecture relies on user-defined allowlists to dictate which identities are permitted to interact with AI agents. This system is designed to ensure that only explicitly approved users can issue commands to agents that might possess access to sensitive data, internal APIs, or system execution capabilities. However, the research revealed that the mutability of display names on these platforms undermines this trust model.
The core issue lies in how OpenClaw resolves identities during its initialization process. While runtime operations typically validate stable user IDs, the startup logic resolves allowlist entries using mutable fields such as display names or usernames. This means an attacker can change their display name to precisely match that of a legitimate, allowlisted user before the system restarts or reinitializes. Consequently, the platform may incorrectly associate the attacker's identity with the trusted entry in the allowlist.
This vulnerability was first observed in OpenClaw's Telegram integration and was patched under advisory GHSA-mj5r-hh7j-4gxf. Despite this initial fix, the same underlying flaw was found to be replicated across five other channel extensions: Slack, Discord, Matrix, Zalo, and Microsoft Teams. This indicates a systemic problem in how security was implemented across different modules, suggesting a failure in consistent security enforcement and potentially a lack of robust code review processes for parallel development efforts.
Once an attacker successfully impersonates a trusted user by manipulating their display name, they effectively gain full control over the AI agent's interactions. This allows for arbitrary command execution, data exfiltration, and potentially lateral movement within integrated systems. The legitimate user, meanwhile, is silently excluded from interacting with the agent, unaware of the compromise.
The vulnerabilities were uncovered using an AI-driven static analysis tool called agentgg. This tool was specifically trained to identify recurring anti-patterns by analyzing historical advisories and past vulnerabilities within OpenClaw. By leveraging this data, agentgg developed targeted detection logic that successfully pinpointed the replicated flaw across multiple modules, demonstrating the power of AI in proactive vulnerability discovery.
OpenClaw maintainers have acknowledged the findings and have implemented fixes that enforce strict ID-based matching for allowlist entries. They have also introduced explicit configuration flags to gate name-based resolution, enhancing the security of their platform. This incident serves as a stark reminder that patching a single instance of a vulnerability does not eliminate the underlying weakness, especially in complex, distributed systems. Organizations must implement systemic detection mechanisms to prevent repeated security failures and bolster trust boundaries in their AI-driven architectures.