A privilege escalation flaw in OpenClaw allows authenticated attackers to spoof identities and gain unauthorized access via mutable display name metadata.

This vulnerability affects the "Matrix allowFrom" feature, which fails to securely validate identity against mutable display name metadata. Authenticated users can modify their display names to match policy entries, effectively escalating their privileges to that of another identity.

The CVSS score of 8.8 highlights the severity of this privilege escalation, which could result in unauthorized access to sensitive data or administrative functions. This flaw undermines the trust model of the Matrix feature, potentially allowing lower-privileged users to assume the roles of administrators.

Immediate Action: Update OpenClaw to version 2026.5.7 or later to fix the identity validation logic.

Proactive Monitoring: Review user account changes and display name modifications for suspicious patterns that may indicate an attempt to impersonate authorized identities.

Compensating Controls: Disable or restrict the use of the "Matrix allowFrom" feature until the patch is applied if the organization is unable to update immediately.

Public Exploit Available: false

Privilege escalation vulnerabilities are critical as they allow for lateral movement within an application. It is imperative that administrators update to version 2026.5.7 or later to ensure that identity matching is enforced correctly and securely.