CVE-2026-44110 Overview
CVE-2026-44110 is an authorization bypass vulnerability in OpenClaw versions before 2026.4.15. The flaw resides in the Matrix room control-command authorization logic, which incorrectly trusts entries from the direct message (DM) pairing store. Attackers holding a DM-paired sender ID can issue privileged room control commands by posting in bot rooms, bypassing the configured allowlist entirely. This weakness maps to CWE-863: Incorrect Authorization. Successful exploitation can grant unauthorized control over OpenClaw bot behavior in shared Matrix rooms.
Critical Impact
Authenticated Matrix users with DM-pairing entries can execute privileged room control commands without being listed in the configured allowlist, leading to unauthorized OpenClaw operations.
Affected Products
- OpenClaw versions prior to 2026.4.15
- OpenClaw Matrix extension (extensions/matrix) monitor handler
- Deployments using DM pairing-store authorization for room commands
Discovery Timeline
- 2026-05-06 - CVE-2026-44110 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-44110
Vulnerability Analysis
OpenClaw integrates with Matrix to expose room control commands gated by an allowlist (allowFrom, roomConfig.users, group allowlists). The authorization path in extensions/matrix/src/matrix/monitor/handler.ts reads the DM pairing store and merges those entries into the effective allowlist used to evaluate room commands. Because the pairing store reflects past direct-message interactions rather than explicit room-command grants, any user who has previously DM-paired with the bot is treated as authorized. An attacker only needs a valid DM-paired sender ID, then posts the control command inside a bot-monitored room. The authorization check resolves to allowed, and OpenClaw executes the privileged operation.
Root Cause
The root cause is a conflation of two distinct trust boundaries. DM pairing-store entries authorize bot-to-user direct messaging, while room control commands require membership in an explicit allowlist. Reading the pairing store unconditionally (storeAllowFrom = await readStoreAllowFrom()) caused the room authorization path to honor a credential intended for a different scope. This is a classic broken access control pattern under [CWE-863].
Attack Vector
Exploitation requires network access to the Matrix homeserver, low-privilege authenticated access as a DM-paired user, and active participation in a room monitored by the OpenClaw bot. The attacker sends a control command message to the room. The bot resolves the sender against the merged allowlist, finds a pairing-store match, and executes the command without verifying explicit room authorization.
// Patch: skip pairing-store reads for room auth
// extensions/matrix/src/matrix/monitor/handler.ts
senderNamePromise ??= getMemberDisplayName(roomId, senderId).catch(() => senderId);
return await senderNamePromise;
};
- const storeAllowFrom = await readStoreAllowFrom();
+ const storeAllowFrom = isDirectMessage ? await readStoreAllowFrom() : [];
const roomUsers = roomConfig?.users ?? [];
const accessState = resolveMatrixMonitorAccessState({
allowFrom,
Source: OpenClaw commit 2bfd808a
Detection Methods for CVE-2026-44110
Indicators of Compromise
- Matrix room events containing OpenClaw control commands from sender IDs not present in the configured allowFrom or roomConfig.users lists.
- Bot audit logs showing successful command execution where the authorization decision references a pairing-store match rather than an allowlist match.
- Unexpected privileged OpenClaw actions originating from rooms containing externally invited DM-paired users.
Detection Strategies
- Review OpenClaw monitor logs for command executions where directAllowMatch.matchSource points to pairing-store derived entries before the patch was applied.
- Cross-reference command-issuing sender IDs against the static allowFrom configuration; flag any mismatch.
- Hunt for room control commands posted in bot rooms by accounts that have only ever interacted via direct message historically.
Monitoring Recommendations
- Enable verbose authorization logging in the OpenClaw Matrix extension to capture the resolved MatrixMonitorAccessState for each command.
- Forward Matrix client-server API logs and OpenClaw bot logs to a centralized analytics platform for correlation.
- Alert on first-time command issuance per sender ID per room to surface lateral abuse of DM-paired identities.
How to Mitigate CVE-2026-44110
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.15 or later, which includes the fix that scopes pairing-store reads to direct messages only.
- Audit existing DM pairing-store entries and remove any that correspond to untrusted or external users.
- Review the allowFrom, roomConfig.users, and group allowlists to ensure room command authorization is explicit and minimal.
Patch Information
The vulnerability is fixed by two commits in the OpenClaw repository. Commit 2bfd808a ensures pairing-store entries are only consulted when the message originates from a direct message context. Commit f8705f51 introduces a dedicated MatrixMonitorAllowListMatch type that prevents pairing-store entries from authorizing room control commands. Full details are in the GHSA-2gvc-4f3c-2855 advisory and the VulnCheck advisory.
Workarounds
- Restrict OpenClaw bot rooms to invite-only and remove untrusted members until the patch is deployed.
- Disable room control command handling in the Matrix extension configuration if the feature is not required.
- Clear or rotate the DM pairing store to invalidate any pairings established by suspect accounts.
# Upgrade OpenClaw to the patched release
git fetch --tags
git checkout v2026.4.15
npm install
npm run build
# Restart the OpenClaw service after deployment
systemctl restart openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
