OpenClaw maintainers patched five zero-day vulnerabilities this week across the platform’s Slack, Discord, Microsoft Teams, Matrix, and Zalo channel extensions. Security researcher Philip Garabandic disclosed the flaws, which allowed attackers to bypass user allowlists by impersonating trusted identities through mutable display names. All five are fully patched and no longer exploitable in updated deployments. The attack pattern matters for any team running AI agents with name-based authorization.
The Vulnerability
OpenClaw’s security model relies on operator-defined allowlists that control which users can interact with an AI agent. At runtime, the system correctly checks stable user IDs. The flaw was in the startup resolution path: when the gateway initializes, it resolves human-readable allowlist entries (like “Alice”) against platform user directories and writes the resulting stable IDs into the trusted list.
Because display names on Slack, Discord, Teams, Matrix, and Zalo are mutable, any user on the platform can rename themselves to match an allowlisted identity, according to Garabandic’s writeup. On the next gateway restart, the resolution logic binds the attacker’s ID into the allowlist. The legitimate user gets silently rejected. The attacker gains full agent access.
The consequences in AI agent environments are severe: compromised allowlist access can enable arbitrary command execution, data exfiltration, and lateral movement through integrated systems, as Cyber Security News reported.
Same Bug, Five Platforms
The root cause traces back to a known Telegram advisory that was patched months earlier. The lesson never propagated. Each channel extension was written independently by different contributors, and all five reimplemented the same insecure pattern: resolving mutable display names at startup without checking OpenClaw’s existing dangerouslyAllowNameMatching configuration flag.
Garabandic found the five instances using agentgg, an open-source CLI tool for AI-driven static analysis. The tool generates custom detection rules from historical advisories. He fed in OpenClaw’s prior CVEs, the tool produced twelve targeted detectors, and one of them, openclaw-audit-allowlist-identity-hunter, flagged the same bug shape across all five extensions.
Individual advisories have been published on GitHub for Slack, Discord, Matrix, Zalo, and Microsoft Teams. All five classify as CWE-639: authorization bypass through user-controlled identifiers.
Patches and Fixes
OpenClaw maintainers addressed all five vulnerabilities with fixes that enforce strict ID-based matching and gate name-based resolution behind explicit configuration flags. Operators running OpenClaw with allowlists on any of the five affected platforms should update immediately.
The Pattern That Keeps Repeating
This is the second time in 2026 that OpenClaw has faced a batch of related security vulnerabilities across its channel extensions. The broader lesson, as Garabandic noted, is that patching one component does not eliminate an underlying vulnerability class. Without systemic detection across parallel implementations, the same flaw propagates silently.
For teams deploying AI agents with platform-level authorization, the takeaway is concrete: never resolve trust boundaries through mutable identifiers. Display names, nicknames, and usernames are user-controlled strings. Stable platform IDs are the only safe anchor for allowlist enforcement. If your agent framework offers a “match by name” convenience flag, treat it as a security decision, not a usability feature.