CVE-2026-32895

MEDIUM

OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers

Title source: cna

Description

OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders through message_changed, message_deleted, and thread_broadcast events.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8

[Patch] https://github.com/openclaw/openclaw/commit/3d30ba18a2aba1e1b302e77ff33145c3b06c01c8

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-in-slack-system-event-handlers

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 8.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-863

Status published

Products (3)

npm/openclaw 0 - 2026.2.26npm

OpenClaw/OpenClaw < 2026.2.26

OpenClaw/OpenClaw 2026.2.26

Published Mar 21, 2026

Tracked Since Mar 21, 2026