CVE-2026-32906
MEDIUMOpenClaw < 2026.5.12 - Privilege Escalation in Slack Plugin Approvals via Exec Approver Gate
Title source: cnaDescription
OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin actions outside operator configuration.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-wv26-j37q-2g7p)
https://github.com/openclaw/openclaw/security/advisories/GHSA-wv26-j37q-2g7p
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-plugin-approvals-via-exec-approver-gate
Scores
CVSS v3
4.3
EPSS
0.0017
EPSS Percentile
7.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (3)
OpenClaw/OpenClaw
< 2026.5.12
openclaw/openclaw
< 2026.5.12
OpenClaw/OpenClaw
2026.5.12
Published
May 29, 2026
Tracked Since
May 29, 2026