プラットフォーム
other
コンポーネント
openclaw
修正版
2026.2.2
CVE-2026-28471 is a vulnerability affecting OpenClaw installations with the Matrix plugin enabled. This flaw allows remote Matrix users to bypass the DM allowlist, potentially impersonating allowed identities. The vulnerability impacts OpenClaw versions 2026.1.14-1 through 2026.2.2. A fix is available in version 2026.2.2.
The core of this vulnerability lies in the DM allowlist matching process within the Matrix plugin. Instead of validating the sender's identity against the homeserver, the plugin allows matching against display names and localparts without proper verification. An attacker can exploit this by crafting Matrix messages with display names or localparts that exactly match entries in the allowlist, effectively bypassing the intended security controls. This allows the attacker to impersonate legitimate users, potentially gaining access to their private messages, initiating actions on their behalf, or disrupting communication flows within the OpenClaw environment. The potential blast radius depends on the sensitivity of the data handled within the DM and the permissions granted to the impersonated user.
CVE-2026-28471 was publicly disclosed on March 5, 2026. Currently, there is no indication of active exploitation or a KEV listing. No public proof-of-concept (PoC) code has been released. The EPSS score is likely low given the lack of public exploitation and PoCs.
OpenClaw installations utilizing the Matrix plugin, particularly those with permissive DM allowlist configurations, are at risk. Shared hosting environments where multiple OpenClaw instances share resources could also be affected, as a compromise of one instance could potentially impact others.
disclosure
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-28471 is to upgrade OpenClaw to version 2026.2.2 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, carefully reviewing and tightening the DM allowlist rules to prevent overly permissive matching can reduce the attack surface. Monitor Matrix logs for suspicious activity, particularly messages originating from unexpected homeservers or with unusual display names. After upgrading, confirm the fix by attempting to send a Matrix message with a display name that should be blocked by the allowlist; the message should be rejected.
OpenClawをバージョン2026.2.2以降にアップデートしてください。このバージョンは、MatrixプラグインにおけるAllowlistバイパスの脆弱性を修正しており、displayNameまたは一致するlocalpartによるなりすましを防止します。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-28471 is a vulnerability in OpenClaw's Matrix plugin allowing remote attackers to bypass DM allowlists and impersonate users by matching display names or localparts without homeserver validation.
You are affected if you are running OpenClaw versions 2026.1.14-1 through 2026.2.2 with the Matrix plugin enabled and have not upgraded.
Upgrade OpenClaw to version 2026.2.2 or later to resolve the vulnerability. Consider tightening DM allowlist rules as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-28471.
Refer to the official OpenClaw security advisories on their website or relevant security mailing lists for the latest information.