GHSA-rmxw-jxxx-4cpc: OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching

February 17, 2026

OpenClaw Matrix DM allowlist matching could be bypassed in certain configurations.

Matrix support ships as an optional plugin (not bundled with the core install), so this only affects deployments that have installed and enabled the Matrix plugin.

References

github.com/advisories/GHSA-rmxw-jxxx-4cpc
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf
github.com/openclaw/openclaw/releases/tag/v2026.2.2
github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc

Code Behaviors & Features

Detect and mitigate GHSA-rmxw-jxxx-4cpc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →