{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bot/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-44110"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["authorization bypass","matrix","bot"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a Matrix bot, is vulnerable to an authorization bypass (CVE-2026-44110) affecting versions prior to 2026.4.15. This vulnerability stems from the Matrix room control-command authorization logic trusting DM pairing-store entries without proper validation against configured allowlists. An attacker who has established a DM pairing with the bot can exploit this flaw to execute room control commands by posting in bot rooms, even if they are not explicitly authorized. This can lead to unauthorized modification of room settings or execution of other privileged bot functionalities. The vulnerability was reported by VulnCheck and patched in version 2026.4.15. Defenders should upgrade to the latest version of OpenClaw to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a direct message (DM) pairing with the OpenClaw bot.\u003c/li\u003e\n\u003cli\u003eThe bot stores the DM pairing information.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a bot room where OpenClaw is active.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a room control command, such as a command to change room settings.\u003c/li\u003e\n\u003cli\u003eAttacker posts the malicious command within the bot room.\u003c/li\u003e\n\u003cli\u003eOpenClaw receives the command and incorrectly trusts the DM pairing-store entry for authorization.\u003c/li\u003e\n\u003cli\u003eOpenClaw executes the room control command with elevated privileges, bypassing configured allowlists.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully modifies the room settings or triggers other privileged behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44110 allows unauthorized users to execute privileged commands within Matrix rooms controlled by OpenClaw. This could result in significant disruption, including unauthorized modification of room settings, disclosure of sensitive information, or other malicious activities enabled by OpenClaw\u0026rsquo;s functionality. The severity is compounded by the ease of exploitation, requiring only a pre-existing DM pairing with the bot. The impact depends on the specific functionalities and permissions granted to the OpenClaw bot within the affected Matrix environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.15 or later to patch CVE-2026-44110 (see References).\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions granted to the OpenClaw bot within Matrix rooms to minimize potential impact from unauthorized command execution.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect OpenClaw Room Control Command Abuse\u0026rdquo; to identify suspicious command activity within bot rooms.\u003c/li\u003e\n\u003cli\u003eMonitor Matrix room activity logs for unauthorized modifications or actions performed by the OpenClaw bot.\u003c/li\u003e\n\u003cli\u003eEnable logging of Matrix bot commands to aid in investigation and auditing of potential authorization bypass attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T20:16:34Z","date_published":"2026-05-06T20:16:34Z","id":"/briefs/2026-05-openclaw-auth-bypass/","summary":"OpenClaw before 2026.4.15 contains an authorization bypass vulnerability that allows attackers with DM-paired sender IDs to execute room control commands without being in configured allowlists, potentially enabling privileged OpenClaw behavior by posting in bot rooms.","title":"OpenClaw Authorization Bypass Vulnerability (CVE-2026-44110)","url":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Bot","version":"https://jsonfeed.org/version/1.1"}