How do the OpenClaw display name impersonation attacks work?

Display names are mutable across most chat platforms. Attackers can rename themselves to match an allowlisted identity, impersonating trusted users to gain AI agent access and execute arbitrary commands.

Who discovered the five OpenClaw zero-days?

Security engineer Philip Garabandic discovered and reported the five vulnerabilities.

Are the five OpenClaw zero-days patched?

Yes, each finding has been acknowledged and addressed by OpenClaw maintainers with fixes that enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags.

Why is the timing of the five OpenClaw zero-days significant?

The vulnerabilities were disclosed just as Microsoft expanded its use of OpenClaw with the Scout announcement at Build 2026, undermining claims of enterprise-grade agent security.

What are the five OpenClaw zero-day vulnerabilities?

Five zero-day flaws in OpenClaw allow attackers to bypass trust boundaries across Slack, Discord, Matrix, Zalo, and Teams by exploiting mutable display names for identity resolution.

← Back to dashboard

clawsmith.com/signal/five-openclaw-0-days-display-name-impersonation-june-2026

⚠ IssueWide OpenLive

Five OpenClaw Zero-Days Let Attackers Hijack AI Agent Access via Display Name Impersonation

Security researcher Philip Garabandic discovered five zero-day vulnerabilities in OpenClaw affecting Slack, Discord, Matrix, Zalo, and Teams. The flaws stem from mutable display names being used for identity resolution, allowing attackers to impersonate trusted users and hijack agent access. Disclosed just as Microsoft expanded OpenClaw use with Scout.

Product Idea from this Signal

A runtime middleware that verifies messaging channel user identities against platform-native stable IDs before any command reaches an OpenClaw agent

OpenClaw agents connect to Slack, Discord, Teams, Matrix, Telegram, and Zalo through channel plugins. The allowlist system resolves mutable display names to user IDs only at service startup. Five zero-days disclosed June 3, 2026 showed that attackers can impersonate trusted users just by renaming themselves on any platform before a restart. The fix OpenClaw shipped is config flags, but the architectural flaw persists: initialization-time identity binding is fundamentally weaker than continuous verification. A middleware sitting between channel adapters and the agent gateway would verify every inbound message against platform-native stable IDs in real time, catching impersonation attempts at message time, not just at initialization.

MIDDLEWARESECURITYOPEN-SOURCEIDENTITYRUNTIME

CompetitiveView Opportunity →