CVE-2026-28471
MEDIUM WAF: Low
CVSS 5.3
Published: 2026-03-05
CWE-287
OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | 2026.1.14-1 - 2026.2.2 |
References
- github.com (Patch)
- github.com (Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)