CVE-2026-42433 Overview
CVE-2026-42433 is an authorization bypass vulnerability in OpenClaw versions prior to 2026.4.10. The flaw permits operator.write message-tool execution paths to access Matrix profile persistence functions that should require admin-level authority. Attackers with operator-level privileges can mutate persistent profile configuration through non-owner message-tool runs. The vulnerability is categorized under CWE-862: Missing Authorization. The issue impacts the Matrix extension's channel message tool runtime, where authorization gating was absent for profile update operations.
Critical Impact
Authenticated operator-level attackers can modify Matrix profile configuration persistence without admin authority, enabling unauthorized integrity changes to channel configuration state.
Affected Products
- OpenClaw versions before 2026.4.10
- OpenClaw Matrix extension (extensions/matrix/src/actions.ts)
- OpenClaw Matrix runtime API (extensions/matrix/src/runtime-api.ts)
Discovery Timeline
- 2026-05-05 - CVE-2026-42433 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42433
Vulnerability Analysis
The vulnerability resides in OpenClaw's Matrix extension, specifically in the message-tool dispatch logic. Message tools dispatched with operator.write capability could reach Matrix profile persistence operations that are reserved for channel owners or admin-level callers. The runtime did not enforce ownership checks before allowing tool runs to mutate persistent profile state. As a result, an authenticated user holding only operator-level message-tool authority could alter configuration that should be administratively gated.
This is a textbook missing authorization issue [CWE-862]. The capability check confirmed that the caller could write messages but did not validate whether the caller was the profile owner. Configuration mutations through this path persist across sessions, giving attackers a durable foothold in channel state.
Root Cause
The root cause is the absence of a ToolAuthorizationError gate on non-owner message-tool runs that touch Matrix profile updates. Patch commit fe0f686c9228fffcec6de4011da45e69a6e23e54 introduces ToolAuthorizationError into both actions.ts and runtime-api.ts to enforce ownership before profile persistence is reached. Prior to the fix, the dispatcher trusted the operator capability flag without correlating it with profile ownership context.
Attack Vector
An attacker authenticated to a channel with operator.write permissions invokes a message tool that triggers Matrix profile persistence. Because the network-reachable runtime does not check ownership, the tool run completes and writes attacker-supplied configuration. No user interaction is required beyond the attacker's own tool invocation.
// Patch from extensions/matrix/src/actions.ts
createActionGate,
readNumberParam,
readStringParam,
+ ToolAuthorizationError,
type ChannelMessageActionAdapter,
type ChannelMessageActionContext,
type ChannelMessageActionName,
type ChannelMessageToolDiscovery,
- type ChannelToolSend,
} from "./runtime-api.js";
import type { CoreConfig } from "./types.js";
Source: GitHub commit fe0f686
// Patch from extensions/matrix/src/runtime-api.ts
readReactionParams,
readStringArrayParam,
readStringParam,
+ ToolAuthorizationError,
} from "openclaw/plugin-sdk/channel-actions";
export { buildChannelConfigSchema } from "openclaw/plugin-sdk/channel-config-primitives";
export type { ChannelPlugin } from "openclaw/plugin-sdk/channel-core";
Source: GitHub commit fe0f686
The patch wires ToolAuthorizationError into the channel actions module and the runtime API surface. The fix raises this error when a non-owner attempts a profile-mutating tool run, blocking the bypass path.
Detection Methods for CVE-2026-42433
Indicators of Compromise
- Matrix profile configuration changes that did not originate from a channel owner account
- Message-tool runtime logs showing operator.write invocations followed by profile persistence writes
- Unexpected mutations to channel CoreConfig values committed by operator-level identities
Detection Strategies
- Audit OpenClaw application logs for operator.write tool dispatches that resolve into Matrix profile update actions
- Compare profile configuration write events against the actor's ownership status to surface mismatches
- Track the introduction of ToolAuthorizationError exceptions post-patch as a signal of attempted abuse
Monitoring Recommendations
- Forward OpenClaw runtime logs to a centralized analytics platform for behavioral baselining of tool invocations
- Alert on bursts of profile configuration changes correlated to non-owner identities
- Monitor changes to extensions/matrix/src/actions.ts and extensions/matrix/src/runtime-api.ts in deployed builds to confirm patch presence
How to Mitigate CVE-2026-42433
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which includes commit fe0f686c9228fffcec6de4011da45e69a6e23e54
- Review and reduce operator.write grants to only trusted accounts until patching is complete
- Audit recent Matrix profile configuration changes for unauthorized modifications and revert as needed
Patch Information
The fix is published in the GitHub Security Advisory GHSA-7jp6-r74r-995q and applied via the GitHub commit fe0f686. Additional context is available in the VulnCheck Advisory on OpenClaw. The patch introduces ToolAuthorizationError enforcement on non-owner message-tool runs that target profile persistence.
Workarounds
- Restrict operator.write capability assignments and limit message-tool registration to admin-controlled accounts
- Disable Matrix profile-mutating tools in channels where ownership boundaries cannot be enforced
- Place a reverse proxy authorization layer in front of the Matrix runtime API to validate caller identity against profile ownership
# Verify installed OpenClaw version meets the patched release
npm ls openclaw | grep -E "openclaw@"
# Expected: openclaw@2026.4.10 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
