Five zero-day flaws in OpenClaw allowed attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms, new research has found – right before Microsoft expands its use of the open-source platform.

It all looked pretty grand when, during its Build developer conference, Microsoft launched Microsoft Scout, its first Autopilot agent powered by OpenClaw.

The tech giant bragged that Scout can proactively schedule meetings, create needed materials for them, and perform – safely – other tasks, including learning about the user and their needs.

Now, though, the announcement seems pretty absurd. That’s because it turns out that just a few days earlier, a researcher discovered as many as five zero-days across OpenClaw, allowing attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms.

According to security engineer Philip Garabandic, the vulnerabilities stem from a recurring design flaw in which human-readable identifiers, such as display names, are resolved to stable user IDs during service initialization.

For context, OpenClaw is a self-hosted gateway for AI agents. The operator installs it on their own machine, points it at a language model (Claude, GPT, or a local model via Ollama), and connects it to whichever chat platforms they want to message the agent from.

It supports more than 20 channels in total, including Slack, Discord, Matrix, Microsoft Teams, Telegram, WhatsApp, iMessage, Signal, and Zalo. With over 375,000 GitHub stars as of late May 2026, it is among the more widely adopted open-source projects in the AI agent space.

Each channel comes with its own allowlist. The operator specifies which users on that platform are permitted to message the agent, and that allowlist is the entire security model.

“If you can get yourself onto it, you can steer a tool-enabled AI agent that the operator trusts to act on their behalf,” Garabandic explains on his blog.

“Depending on what the agent is wired up to do, that can mean reading files, sending messages, running shell commands, or hitting internal APIs. The consequences of an allowlist bypass on OpenClaw are not ‘an attacker leaks some data.’ They are ‘an attacker drives your agent.’”

Since display names are mutable across most chat platforms, attackers can impersonate trusted users simply by renaming themselves to match an allowlisted identity.

According to Garabandic, this issue was initially identified in OpenClaw’s Telegram integration and patched under advisory GHSA-mj5r-hh7j-4gxf.

Despite the fix, the same root cause persisted across five additional channel extensions, specifically Slack, Discord, Matrix, Zalo, and Microsoft Teams.

Yes, Microsoft, a company that is now embracing OpenClaw and claiming that all necessary security precautions are in place.

It’s also now pretty ironic to read what Microsoft said back in February, when its Defender Security Research Team claimed that OpenClaw shouldn’t be run on a standard personal or enterprise workstation because it has limited built-in security controls.

Now, Microsoft says that the Scout agent is built with enterprise-grade security and controls so it can be trusted in your organization from day one.

Maybe. But, as X cybersecurity pundits at vx-underground are rightly pointing out, “Scout is always on and has file system and application access ‘based on your corporate policy.’”

It may be the best news for threat actors in a long time, indeed.

---

Unlock more exclusive Cybernews content on YouTube.