CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-RG8M-3943-VM6Q

GHSA-RG8M-3943-VM6Q: Authorization Bypass in OpenClaw Matrix Extension via Reply Context

Amit Schendel
Amit Schendel
Senior Security Researcher

Apr 3, 2026·7 min read·25 visits

Executive Summary (TL;DR)

A flaw in OpenClaw's Matrix message parsing allows unauthorized senders to inject malicious input into the AI agent's context by exploiting how the application fetches unvalidated reply and thread contexts.

OpenClaw versions 2026.3.28 and earlier contain an improper authorization vulnerability in the Matrix extension. The application fails to validate the sender of threaded messages or reply contexts against the configured allowlist. This allows unauthorized attackers to inject arbitrary content into the AI assistant's context window when an authorized user interacts with an attacker's message.

Vulnerability Overview

OpenClaw is a self-hosted AI personal assistant platform that integrates with various communication protocols. The Matrix extension allows users to interact with the AI agent within Matrix rooms and direct messages. To secure these interactions, OpenClaw implements access controls via the groupAllowFrom and roomsConfig settings. These mechanisms form an allowlist that dictates which Matrix users possess the authorization to invoke the AI agent.

The vulnerability, tracked as GHSA-RG8M-3943-VM6Q, represents an authorization bypass (CWE-285, CWE-863) within the message ingestion pipeline of the Matrix extension. While the application correctly validates the sender of an incoming message against the allowlist, it fails to perform the same validation on secondary message components. Specifically, when an incoming message is a reply or part of a thread, OpenClaw automatically fetches the original message content to provide the LLM with conversational context.

The core issue lies in the system's implicit trust of this fetched context. Because the system omits a sender validation check on the referenced message, content authored by non-allowlisted users enters the AI's processing pipeline. This architectural oversight provides a vector for unauthorized actors to interact with the underlying LLM, bypassing the intended perimeter controls defined by the administrator.

Root Cause Analysis

The root cause of this vulnerability exists in the logical flow of the Matrix event handler. When a new event triggers the webhook or polling mechanism, the system evaluates the primary senderId associated with the event. If the senderId matches an entry in the groupAllowFrom list, the application proceeds to construct the context object required by the language model.

During this context construction phase, the application attempts to resolve relational data to maintain conversational coherence. If the triggering event contains a m.thread or m.in_reply_to relation, OpenClaw executes a secondary fetch operation to retrieve the parent event. Prior to the fix, the application appended the parent event's body to the inbound context array without inspecting the parent event's senderId.

This discrepancy between primary event validation and secondary context validation creates an exploitable condition. The system incorrectly assumes that an authorized reply implies authorization of the original message content.

Code Analysis and Patch Review

The official fix was implemented in commit 8a563d603b70ef6338915f0527bee87282c3bad5. The maintainers addressed the flaw by introducing an explicit authorization barrier for fetched contextual data. The core of the remediation resides in extensions/matrix/src/matrix/monitor/handler.ts, where a new helper function named shouldIncludeRoomContextSender was integrated into the processing logic.

The patch modifies the resolveReplyContext and resolveThreadContext utility functions to ensure they return not only the message body but also the senderId of the parent message. The handler.ts script then passes this senderId to the shouldIncludeRoomContextSender function. This function compares the parent sender against the effectiveRoomUsers and effectiveGroupAllowFrom arrays.

If the validation fails, the application gracefully drops the unauthorized context. The threadContext or replyContext variable is set to undefined, preventing the unauthorized text from being appended to the ThreadStarterBody or similar context properties. The system also logs the intervention: matrix: drop thread root context (sender allowlist).

// Regression Test Demonstrating the Fix
it("drops thread and reply context fetched from non-allowlisted room senders", async () => {
  const { handler, finalizeInboundContext } = createMatrixHandlerTestHarness({
    groupPolicy: "allowlist",
    groupAllowFrom: ["@alice:example.org"],
  });
 
  await handler("!room:example.org", createMatrixTextMessageEvent({
      sender: "@alice:example.org", 
      body: "@room follow up",
      relatesTo: {
        rel_type: "m.thread",
        event_id: "$thread-root", // Authored by unauthorized user
      },
  }));
 
  const finalized = vi.mocked(finalizeInboundContext).mock.calls.at(-1)?.[0];
  expect(finalized.ThreadStarterBody).toBeUndefined(); // Validates the drop
});

The fix is comprehensive for this specific attack vector. By enforcing uniform validation across both primary events and secondary relational contexts, the application closes the parsing loophole. Setting the context to undefined ensures no residual data fragments reach the LLM.

Exploitation Methodology

Exploiting this vulnerability requires a specific set of preconditions and passive user interaction (UI:P). The attacker must reside in a Matrix room where the OpenClaw agent operates and where at least one authorized user is present. The attacker does not need to be on the groupAllowFrom list, nor do they require elevated privileges within the Matrix server itself.

The attack sequence initiates when the attacker transmits a malicious message into the shared room. This message typically contains a prompt injection payload designed to manipulate the AI agent's instructions. Upon transmission, the OpenClaw agent receives the event, checks the sender against the allowlist, and silently discards the message due to the authorization failure.

The critical phase relies on interaction from an authorized user. The authorized user must reply to the attacker's message or start a thread based on it. This action generates a new Matrix event authored by a trusted sender. When OpenClaw processes this new event, the allowlist validation succeeds.

The application then traverses the relational data defined in the authorized user's message. It fetches the attacker's initial payload and loads it into the AI's processing context. The underlying language model ingests the attacker's payload as legitimate conversational context, executing the embedded prompt injection instructions within the operational scope of the authorized user.

Impact Assessment

The CVSS v4.0 vector (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) assigns this vulnerability a base score of 5.1 (Medium). The score reflects the necessity of user interaction (UI:P) and the specific attack requirements (AT:P), specifically the presence of an authorized user willing to interact with the attacker's content.

The primary impact manifests as a loss of confidentiality (VC:L) and integrity (VI:L) localized to the AI agent's operational capabilities. An attacker successfully exploiting this bypass achieves indirect prompt injection. Depending on the tools and APIs exposed to the OpenClaw agent, the injected instructions force the agent to perform unauthorized actions or disclose sensitive information accessible to the authorized user's session.

The scope is constrained by the permissions granted to the AI model itself. The vulnerability does not provide the attacker with direct remote code execution on the host server running the OpenClaw binary, nor does it compromise the underlying Matrix infrastructure. The severity scales directly with the sensitivity of the integrations and data stores accessible to the OpenClaw agent within the targeted deployment.

Remediation and Mitigation

The definitive remediation strategy requires upgrading the openclaw npm package to version 2026.3.31 or higher. This release integrates commit 8a563d603b70ef6338915f0527bee87282c3bad5, which introduces the required contextual sender validation logic. System administrators must restart the OpenClaw service following the package update to ensure the new application logic takes effect.

Organizations should review their Matrix extension configurations. Ensure the groupPolicy parameter is explicitly set to allowlist. Verify that the groupAllowFrom array contains only highly trusted Matrix IDs. Removing unnecessary or overly permissive entries from the allowlist reduces the overall attack surface and limits the number of users capable of inadvertently triggering the exploit chain.

Security teams can monitor for exploitation attempts by analyzing the application's runtime logs. Following the application of the patch, any attempt to inject context from an unauthorized sender generates a specific log entry: matrix: drop thread root context (sender allowlist). A high volume of these log messages originating from specific rooms indicates targeted prompt injection attempts or misconfigured authorized users repeatedly interacting with untrusted content.

Official Patches

OpenClawOfficial Release v2026.3.31 containing the security patch
OpenClawSource code commit implementing the contextual validation fix

Fix Analysis (1)

Technical Appendix

CVSS Score
5.1/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Systems

OpenClaw Matrix Extensionopenclaw npm package

Affected Versions Detail

Product
Affected Versions
Fixed Version
openclaw
OpenClaw
<= 2026.3.282026.3.31
AttributeDetail
CWE IDCWE-285, CWE-863
Attack VectorNetwork
CVSS v4.0 Score5.1 (Medium)
Exploit StatusProof-of-Concept Available
ImpactAuthorization Bypass, Prompt Injection
Patch StatusPatched in v2026.3.31

MITRE ATT&CK Mapping

T1548Abuse Elevation Control Mechanism
Privilege Escalation
T1071Application Layer Protocol
Command and Control
CWE-863
Incorrect Authorization

The application performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Known Exploits & Detection

Regression Test PoCProof of concept demonstrating the bypass logic is included in the unit tests of the official fix commit.

Vulnerability Timeline

Fix commit 8a563d603b70ef6338915f0527bee87282c3bad5 merged into mainline repository.
2026-03-31
Patched version 2026.3.31 released to the public.
2026-03-31
GitHub Security Advisory GHSA-RG8M-3943-VM6Q published.
2026-04-02

References & Sources

  • [1]GitHub Security Advisory GHSA-RG8M-3943-VM6Q
  • [2]Fix Commit 8a563d603b70ef6338915f0527bee87282c3bad5
  • [3]OpenClaw Release v2026.3.31

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•1 day ago•CVE-2026-54269
5.3

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

Alon Barad
Alon Barad
6 views•6 min read
•3 days ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
13 views•6 min read
•3 days ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
26 views•8 min read
•3 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
8 views•5 min read
•4 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
11 views•6 min read
•8 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
26 views•6 min read