Identity Resolution Flaw Opens Trust Boundaries
A set of five zero-day vulnerabilities in the OpenClaw framework allows attackers to hijack trusted AI agent access by exploiting how the system resolves user identities. OpenClaw integrates AI agents with messaging platforms such as Slack, Discord, Microsoft Teams, Matrix, and Telegram, relying on user-defined allowlists to determine who can interact with an agent. These allowlists are meant to restrict access to sensitive data, internal APIs, or system-level execution capabilities to only explicitly approved users.
Security researcher Philip Garabandic discovered that the trust model breaks down due to improper identity resolution during allowlist processing. The system resolves human-readable identifiers, such as display names, to stable user IDs only at service initialization. Since display names are mutable across most chat platforms, an attacker can impersonate a trusted user by simply renaming themselves to match an allowlisted identity before a service restart. This grants the attacker full control over agent interactions while silently excluding the legitimate user.
Recurring Pattern Across Multiple Platforms
The root cause of the five flaws is the same insecure pattern that was previously identified and patched in OpenClaw’s Telegram integration under advisory GHSA-mj5r-hh7j-4gxf. Despite the fix, the identical vulnerability was reintroduced independently in the Slack, Discord, Matrix, Zalo, and Microsoft Teams channel extensions. Each implementation separately repeated the same flawed startup resolution process, where allowlist entries are looked up via mutable fields like displayName or username, rather than stable identifiers.
The vulnerabilities were uncovered using agentgg, a specialized AI driven static analysis tool that generates custom detectors based on historical security advisories. By analyzing prior OpenClaw vulnerabilities, the tool developed targeted detection logic for recurring anti patterns, successfully identifying the flaw replicated across multiple modules. This discovery highlights the challenge of enforcing consistent security practices across distributed development efforts.
Source: Cyber Security News
