Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-28471

OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.8%
CVSS Severity
CVSS v3 Score 5.3
Products affected by CVE-2026-28471
  • Openclaw » Openclaw » Version: 2026.1.14-1
    cpe:2.3:a:openclaw:openclaw:2026.1.14-1
  • Openclaw » Openclaw » Version: 2026.1.15
    cpe:2.3:a:openclaw:openclaw:2026.1.15
  • Openclaw » Openclaw » Version: 2026.1.16-2
    cpe:2.3:a:openclaw:openclaw:2026.1.16-2
  • Openclaw » Openclaw » Version: 2026.1.20
    cpe:2.3:a:openclaw:openclaw:2026.1.20
  • Openclaw » Openclaw » Version: 2026.1.21
    cpe:2.3:a:openclaw:openclaw:2026.1.21
  • Openclaw » Openclaw » Version: 2026.1.22
    cpe:2.3:a:openclaw:openclaw:2026.1.22
  • Openclaw » Openclaw » Version: 2026.1.23
    cpe:2.3:a:openclaw:openclaw:2026.1.23
  • Openclaw » Openclaw » Version: 2026.1.24
    cpe:2.3:a:openclaw:openclaw:2026.1.24
  • Openclaw » Openclaw » Version: 2026.1.24-1
    cpe:2.3:a:openclaw:openclaw:2026.1.24-1
  • Openclaw » Openclaw » Version: 2026.1.29
    cpe:2.3:a:openclaw:openclaw:2026.1.29
  • Openclaw » Openclaw » Version: 2026.1.30
    cpe:2.3:a:openclaw:openclaw:2026.1.30
  • Openclaw » Openclaw » Version: 2026.2.1
    cpe:2.3:a:openclaw:openclaw:2026.2.1


Products
Pricing
Contact Us

Shodan ® - All rights reserved