CVE-2026-28471: OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching
(updated )
OpenClaw Matrix DM allowlist matching could be bypassed in certain configurations.
Matrix support ships as an optional plugin (not bundled with the core install), so this only affects deployments that have installed and enabled the Matrix plugin.
References
- github.com/advisories/GHSA-rmxw-jxxx-4cpc
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf
- github.com/openclaw/openclaw/releases/tag/v2026.2.2
- github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc
- nvd.nist.gov/vuln/detail/CVE-2026-28471
- www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-displayname-and-cross-homeserver-localpart-matching-in-matrix
Code Behaviors & Features
Detect and mitigate CVE-2026-28471 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →