Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access
Cybersecurity NewsArchived Jun 03, 2026✓ Full text saved
Five zero-day flaws in OpenClaw allowed attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms. OpenClaw, which integrates AI agents with services such as Slack, Discord, Microsoft Teams, Matrix, and Telegram, relies heavily on user-defined allowlists to determine who can interact with an agent. This trust model assumes that only […] The post Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeAI
Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access
By Abinaya
June 3, 2026
Five zero-day flaws in OpenClaw allowed attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms.
OpenClaw, which integrates AI agents with services such as Slack, Discord, Microsoft Teams, Matrix, and Telegram, relies heavily on user-defined allowlists to determine who can interact with an agent.
This trust model assumes that only explicitly approved identities can issue commands to agents that may have access to sensitive data, internal APIs, or system-level execution capabilities.
However, Philip Garabandic found that this trust model breaks down due to improper identity resolution during allowlist processing.
Five OpenClaw 0-Days
The vulnerabilities stem from a recurring design flaw in which human-readable identifiers, such as display names, are resolved to stable user IDs during service initialization.
Because display names are mutable across most chat platforms, attackers can impersonate trusted users simply by renaming themselves to match an allowlisted identity.
This issue was initially identified in OpenClaw’s Telegram integration and patched under advisory GHSA-mj5r-hh7j-4gxf.
Despite the fix, the same root cause persisted across five additional channel extensions, specifically Slack, Discord, Matrix, Zalo, and Microsoft Teams.
Each implementation independently reintroduced the same insecure pattern, highlighting a broader issue in distributed development and inconsistent security enforcement.
At the core of the vulnerability is a flawed startup resolution process. While runtime checks typically validate stable user IDs, the initialization logic resolves allowlist entries via directory lookups based on mutable fields such as displayName or username.
Example view after running full base on juice shop(source: Philip Garabandic / Infosecwriteups)
If an attacker changes their display name to match an allowlisted user before a service restart, the system may incorrectly bind the attacker’s ID into the trusted allowlist.
Once this occurs, the attacker gains full control over agent interactions while the legitimate user is silently excluded.
The vulnerabilities were identified using a specialized AI-driven static analysis tool called agentgg, which generates custom detectors based on historical advisories.
By analyzing prior OpenClaw vulnerabilities, the tool developed targeted detection logic for recurring anti-patterns, ultimately identifying a flaw replicated across multiple modules.
Each finding has since been acknowledged and addressed by OpenClaw maintainers, with fixes that enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags.
From a security perspective, this class of vulnerability aligns with CWE-639, which describes bypassing authorization through user-controlled identifiers.
The impact is particularly severe in AI agent environments, where compromised access can translate into arbitrary command execution, data exfiltration, or lateral movement within integrated systems.
According to Philip Garabandic, the incident highlights that patching one component does not eliminate the underlying vulnerability class.
Without systemic detection mechanisms, the same flaw can silently propagate across parallel implementations.
By operationalizing past incident data into automated detection workflows, organizations can prevent repeated failures and strengthen trust boundaries in increasingly complex AI-driven architectures.
Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords
Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets
Android 0-Day Vulnerability Exploited in Attacks to Gain Complete Device Control
Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository
Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones
Latest News
AI
Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion
Apache
Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections
Cyber Security News
Ivanti ITSM Vulnerability Lets Attackers Gain Admin Privilege
Cyber Security News
Laravel CRLF Injection Vulnerability Enables an Attacker to Interfere with Outbound Email Processing
Cyber Security News
Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware