CVE-2026-28471 Overview
CVE-2026-28471 is an authentication bypass vulnerability in OpenClaw version 2026.1.14-1 prior to 2026.2.2 when the Matrix plugin is installed and enabled. The vulnerability stems from improper validation of DM (Direct Message) allowlist entries, where the application performs exact-matching against sender display names and localparts without validating the homeserver component. This flaw allows remote Matrix users to impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline.
Critical Impact
Remote attackers can bypass identity verification controls by exploiting insufficient homeserver validation, enabling impersonation of trusted identities and unauthorized access to messaging pipelines.
Affected Products
- OpenClaw version 2026.1.14-1 to versions prior to 2026.2.2
- OpenClaw installations with the Matrix plugin installed and enabled
- Matrix-federated deployments using allowlist-based access controls
Discovery Timeline
- 2026-03-05 - CVE-2026-28471 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28471
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) exists in the Matrix plugin's allowlist implementation. The core issue lies in how the application normalizes and compares Matrix user identifiers against configured allowlists. Matrix user IDs follow the format @localpart:homeserver, but the vulnerable code only performed case-insensitive matching on the full string or individual components without properly validating that the homeserver portion matches an authorized server.
An attacker on a malicious homeserver could create an account with a localpart matching an authorized user (e.g., @admin on attacker.server vs @admin on trusted.server). The flawed allowlist logic would incorrectly authorize messages from the attacker's account because it matched the localpart without verifying the homeserver domain.
Root Cause
The root cause is the insufficient parsing and validation logic in the normalizeAllowListLower function within extensions/matrix/src/matrix/monitor/allowlist.ts. The original implementation performed a simple case-insensitive lowercase conversion on allowlist entries without properly decomposing Matrix user IDs into their constituent parts (localpart and homeserver) and validating each component separately. This allowed attackers to bypass allowlist controls through homeserver mismatch attacks and display name spoofing.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker can exploit this vulnerability by:
- Creating a Matrix account on an attacker-controlled homeserver with a localpart matching an authorized user
- Sending direct messages to the vulnerable OpenClaw instance
- The flawed allowlist matching would authorize the message based on localpart match alone
- The attacker gains access to the routing and agent pipeline as an impersonated trusted identity
Security Patch (extensions/matrix/src/matrix/monitor/allowlist.ts):
return (list ?? []).map((entry) => String(entry).trim()).filter(Boolean);
}
-export function normalizeAllowListLower(list?: Array<string | number>) {
- return normalizeAllowList(list).map((entry) => entry.toLowerCase());
+function normalizeMatrixUser(raw?: string | null): string {
+ const value = (raw ?? "").trim();
+ if (!value) {
+ return "";
+ }
+ if (!value.startsWith("@") || !value.includes(":")) {
+ return value.toLowerCase();
+ }
+ const withoutAt = value.slice(1);
+ const splitIndex = withoutAt.indexOf(":");
+ if (splitIndex === -1) {
+ return value.toLowerCase();
+ }
+ const localpart = withoutAt.slice(0, splitIndex).toLowerCase();
+ const server = withoutAt.slice(splitIndex + 1).toLowerCase();
+ if (!server) {
+ return value.toLowerCase();
+ }
+ return `@${localpart}:${server.toLowerCase()}`;
}
-function normalizeMatrixUser(raw?: string | null): string {
- return (raw ?? "").trim().toLowerCase();
+export function normalizeMatrixUserId(raw?: string | null): string {
+ const trimmed = (raw ?? "").trim();
Source: GitHub Commit Update
Detection Methods for CVE-2026-28471
Indicators of Compromise
- Unexpected Matrix direct messages from untrusted or unknown homeservers reaching the agent pipeline
- Allowlist entries being matched against users from different homeservers than expected
- Authentication logs showing successful authorization for Matrix IDs with mismatched homeserver components
- Unusual routing activity from Matrix accounts with display names matching legitimate users
Detection Strategies
- Audit Matrix plugin logs for messages from homeservers not explicitly configured in the allowlist
- Implement strict homeserver validation in any custom Matrix integration code
- Review authorization events to identify pattern matches that bypass full Matrix ID validation
- Deploy network monitoring to detect federation traffic from suspicious or newly-created homeservers
Monitoring Recommendations
- Enable verbose logging for the Matrix plugin to capture full sender Matrix IDs including homeserver
- Monitor for authentication anomalies where localparts match but homeservers differ from authorized servers
- Set up alerts for direct message activity from homeservers outside your organization's trusted federation list
- Regularly audit allowlist configurations to ensure entries include full Matrix IDs with homeserver components
How to Mitigate CVE-2026-28471
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.2 or later immediately
- Review current allowlist configurations and ensure all entries specify full Matrix user IDs with homeserver components
- Audit recent Matrix plugin activity logs for potential exploitation attempts
- Consider temporarily disabling the Matrix plugin if immediate patching is not possible
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.2. The fix introduces proper Matrix user ID normalization through the normalizeMatrixUserId function, which correctly parses and validates both the localpart and homeserver components of Matrix identifiers. The patch is available via the GitHub Commit Update.
Additional security advisories are available from the GitHub Security Advisory and VulnCheck Advisory on OpenClaw.
Workarounds
- Ensure all allowlist entries include complete Matrix user IDs in the format @localpart:homeserver
- Implement additional validation layers at the network or application level to verify homeserver authenticity
- Restrict Matrix federation to only explicitly trusted homeservers at the infrastructure level
- Monitor and audit all incoming Matrix direct messages manually until the patch is applied
# Configuration example
# Update OpenClaw to patched version
npm update openclaw@2026.2.2
# Verify Matrix plugin allowlist entries include full Matrix IDs
# Ensure entries follow format: @user:trusted-homeserver.example.com
# Avoid partial entries like just "user" or "@user"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
