CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 03, 2026

Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access

Cybersecurity News Archived Jun 03, 2026 ✓ Full text saved

Five zero-day flaws in OpenClaw allowed attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms. OpenClaw, which integrates AI agents with services such as Slack, Discord, Microsoft Teams, Matrix, and Telegram, relies heavily on user-defined allowlists to determine who can interact with an agent. This trust model assumes that only […] The post Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeAI Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access By Abinaya June 3, 2026 Five zero-day flaws in OpenClaw allowed attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms. OpenClaw, which integrates AI agents with services such as Slack, Discord, Microsoft Teams, Matrix, and Telegram, relies heavily on user-defined allowlists to determine who can interact with an agent. This trust model assumes that only explicitly approved identities can issue commands to agents that may have access to sensitive data, internal APIs, or system-level execution capabilities. However, Philip Garabandic found that this trust model breaks down due to improper identity resolution during allowlist processing. Five OpenClaw 0-Days The vulnerabilities stem from a recurring design flaw in which human-readable identifiers, such as display names, are resolved to stable user IDs during service initialization. Because display names are mutable across most chat platforms, attackers can impersonate trusted users simply by renaming themselves to match an allowlisted identity. This issue was initially identified in OpenClaw’s Telegram integration and patched under advisory GHSA-mj5r-hh7j-4gxf. Despite the fix, the same root cause persisted across five additional channel extensions, specifically Slack, Discord, Matrix, Zalo, and Microsoft Teams. Each implementation independently reintroduced the same insecure pattern, highlighting a broader issue in distributed development and inconsistent security enforcement. At the core of the vulnerability is a flawed startup resolution process. While runtime checks typically validate stable user IDs, the initialization logic resolves allowlist entries via directory lookups based on mutable fields such as displayName or username. Example view after running full base on juice shop(source: Philip Garabandic / Infosecwriteups) If an attacker changes their display name to match an allowlisted user before a service restart, the system may incorrectly bind the attacker’s ID into the trusted allowlist. Once this occurs, the attacker gains full control over agent interactions while the legitimate user is silently excluded. The vulnerabilities were identified using a specialized AI-driven static analysis tool called agentgg, which generates custom detectors based on historical advisories. By analyzing prior OpenClaw vulnerabilities, the tool developed targeted detection logic for recurring anti-patterns, ultimately identifying a flaw replicated across multiple modules. Each finding has since been acknowledged and addressed by OpenClaw maintainers, with fixes that enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags. From a security perspective, this class of vulnerability aligns with CWE-639, which describes bypassing authorization through user-controlled identifiers. The impact is particularly severe in AI agent environments, where compromised access can translate into arbitrary command execution, data exfiltration, or lateral movement within integrated systems. According to Philip Garabandic, the incident highlights that patching one component does not eliminate the underlying vulnerability class. Without systemic detection mechanisms, the same flaw can silently propagate across parallel implementations. By operationalizing past incident data into automated detection workflows, organizations can prevent repeated failures and strengthen trust boundaries in increasingly complex AI-driven architectures. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets Android 0-Day Vulnerability Exploited in Attacks to Gain Complete Device Control Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones Latest News AI Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion Apache Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections Cyber Security News Ivanti ITSM Vulnerability Lets Attackers Gain Admin Privilege Cyber Security News Laravel CRLF Injection Vulnerability Enables an Attacker to Interfere with Outbound Email Processing Cyber Security News Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 03, 2026
    Archived
    Jun 03, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗