OpenClaw Matrix Plugin DM Allowlist Bypass Vulnerability

A vulnerability exists in OpenClaw versions 2026.1.14-1 prior to 2026.2.2, specifically within the Matrix plugin, which can be exploited to bypass direct message (DM) allowlist matching. This issue arises from the ability to exact-match sender display names and localparts, without proper validation from the homeserver. As a result, remote Matrix users can impersonate allowed identities by manipulating display names or using localparts from different homeservers, thereby accessing the routing and agent pipeline.

Impact

Exploitation of this vulnerability leads to confusion in DM allowlist identity, allowing unauthorized users to impersonate allowed identities and potentially access restricted functionalities, depending on the specific Matrix channel policies in place.

Reproduction

To reproduce this vulnerability, configure the Matrix DM allowlist to include display names or bare localparts. Then, have a remote Matrix user send a message that matches the allowlist entry using an attacker-controlled display name or a localpart from a different homeserver. The message will bypass the allowlist check and be processed as if it came from an allowed identity.

Remediation

Upgrade OpenClaw to version 2026.2.2 or later. Ensure that Matrix allowlists only include full Matrix user IDs (MXIDs), such as '@user:server', and avoid using display names or bare localparts.