Plattform
other
Komponente
openclaw
Behoben in
2026.2.2
CVE-2026-28471 is a vulnerability affecting OpenClaw installations with the Matrix plugin enabled. This flaw allows remote Matrix users to bypass the DM allowlist, potentially impersonating allowed identities. The vulnerability impacts OpenClaw versions 2026.1.14-1 through 2026.2.2. A fix is available in version 2026.2.2.
The core of this vulnerability lies in the DM allowlist matching process within the Matrix plugin. Instead of validating the sender's identity against the homeserver, the plugin allows matching against display names and localparts without proper verification. An attacker can exploit this by crafting Matrix messages with display names or localparts that exactly match entries in the allowlist, effectively bypassing the intended security controls. This allows the attacker to impersonate legitimate users, potentially gaining access to their private messages, initiating actions on their behalf, or disrupting communication flows within the OpenClaw environment. The potential blast radius depends on the sensitivity of the data handled within the DM and the permissions granted to the impersonated user.
CVE-2026-28471 was publicly disclosed on March 5, 2026. Currently, there is no indication of active exploitation or a KEV listing. No public proof-of-concept (PoC) code has been released. The EPSS score is likely low given the lack of public exploitation and PoCs.
OpenClaw installations utilizing the Matrix plugin, particularly those with permissive DM allowlist configurations, are at risk. Shared hosting environments where multiple OpenClaw instances share resources could also be affected, as a compromise of one instance could potentially impact others.
disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28471 is to upgrade OpenClaw to version 2026.2.2 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, carefully reviewing and tightening the DM allowlist rules to prevent overly permissive matching can reduce the attack surface. Monitor Matrix logs for suspicious activity, particularly messages originating from unexpected homeservers or with unusual display names. After upgrading, confirm the fix by attempting to send a Matrix message with a display name that should be blocked by the allowlist; the message should be rejected.
Aktualisieren Sie OpenClaw auf Version 2026.2.2 oder höher. Diese Version behebt die Allowlist-Bypass-Schwachstelle im Matrix-Plugin, die eine Identitätsfälschung durch Displaynamen oder übereinstimmende Localparts ermöglichte.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28471 is a vulnerability in OpenClaw's Matrix plugin allowing remote attackers to bypass DM allowlists and impersonate users by matching display names or localparts without homeserver validation.
You are affected if you are running OpenClaw versions 2026.1.14-1 through 2026.2.2 with the Matrix plugin enabled and have not upgraded.
Upgrade OpenClaw to version 2026.2.2 or later to resolve the vulnerability. Consider tightening DM allowlist rules as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-28471.
Refer to the official OpenClaw security advisories on their website or relevant security mailing lists for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.