Home / Vulnerability Intelligence / CVE-2026-28471

CVE-2026-28471 - Vulnerability Analysis

HighCVSS: 8.4

Last Updated: March 5, 2026

OpenClaw - Authentication Bypass

Published: March 5, 2026Updated: March 5, 2026

Overview

OpenClaw 2026.1.14-1 prior to 2026.2.2 with Matrix plugin contains an authentication bypass caused by DM allowlist matching bypass via sender display names and localparts without homeserver validation, letting remote Matrix users impersonate allowed identities, exploit requires Matrix plugin enabled.

Severity & Score

Severity: High

CVSS Score: 8.4

Impact

Remote attackers can impersonate allowed identities, potentially bypassing authentication and accessing restricted communication channels.

Mitigation

Upgrade to version 2026.2.2 or later.

References

https://github.com/openclaw/openclaw/commit/8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf
https://github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc
https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-displayname-and-cross-homeserver-localpart-matching-in-matrix

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28471
Severity: High
CVSS Score: 8.4
Type: broken_authentication
Status: new

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H