What are the five OpenClaw zero-day vulnerabilities disclosed in June 2026?

Five zero-day flaws were found in OpenClaw channel integrations for Slack, Discord, Microsoft Teams, Matrix, and Zalo. They all share the same root cause: mutable display names are resolved to stable user IDs during allowlist initialization, letting attackers impersonate trusted users.

How does the OpenClaw allowlist bypass attack work?

An attacker changes their display name on a messaging platform to match an allowlisted user. On service restart, OpenClaw resolves display names to user IDs and incorrectly binds the attacker ID into the trusted allowlist, granting full agent access.

Which messaging platforms were affected by the OpenClaw allowlist zero-days?

Slack, Discord, Microsoft Teams, Matrix, and Zalo were all affected. The initial flaw was found and patched in Telegram, but the same insecure pattern was independently reimplemented in five other channel extensions.

Are the OpenClaw allowlist bypass vulnerabilities patched?

Yes. All five vulnerabilities have been acknowledged and addressed by OpenClaw maintainers. Fixes enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags.

What can an attacker do after exploiting the OpenClaw allowlist bypass?

Compromised agent access can translate into arbitrary command execution, data exfiltration, or lateral movement within integrated systems, since OpenClaw agents often have access to sensitive data, internal APIs, and system-level execution capabilities.

Why did the same vulnerability appear in five different OpenClaw channel extensions?

Each channel plugin was developed independently and each reintroduced the same insecure pattern of resolving mutable display names during initialization. This highlights inconsistent security enforcement across distributed development.

How can I protect my OpenClaw instance from allowlist bypass attacks?

Update to the latest OpenClaw version that includes the patches. The fixes enforce strict ID-based matching for allowlists. Also audit your allowlist configuration and enable explicit configuration flags for name-based resolution.

← Back to dashboard

clawsmith.com/signal/openclaw-five-zero-day-allowlist-bypass-channel-trust

⚠ IssueWide OpenLive

Five OpenClaw Zero-Days Let Attackers Hijack AI Agent Access Across Slack, Discord, Teams, Matrix, Zalo

Five zero-day flaws in OpenClaw channel integrations allow attackers to bypass trust boundaries and hijack AI agent access. The root cause: display names resolved to stable user IDs during allowlist initialization, so attackers impersonate trusted users by renaming themselves before a service restart. Affects Slack, Discord, Microsoft Teams, Matrix, and Zalo. Disclosed June 3, 2026. All patched.

Product Idea from this Signal

A runtime middleware that verifies messaging channel user identities against platform-native stable IDs before any command reaches an OpenClaw agent

OpenClaw agents connect to Slack, Discord, Teams, Matrix, Telegram, and Zalo through channel plugins. The allowlist system resolves mutable display names to user IDs only at service startup. Five zero-days disclosed June 3, 2026 showed that attackers can impersonate trusted users just by renaming themselves on any platform before a restart. The fix OpenClaw shipped is config flags, but the architectural flaw persists: initialization-time identity binding is fundamentally weaker than continuous verification. A middleware sitting between channel adapters and the agent gateway would verify every inbound message against platform-native stable IDs in real time, catching impersonation attempts at message time, not just at initialization.

MIDDLEWARESECURITYOPEN-SOURCEIDENTITYRUNTIME

CompetitiveView Opportunity →