CVE-2026-53851

MEDIUM

OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass

Title source: cna
STIX 2.1

Description

OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-fcvx-5cxc-v5p8)
https://github.com/openclaw/openclaw/security/advisories/GHSA-fcvx-5cxc-v5p8
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass
https://www.vulncheck.com/advisories/openclaw-slack-reaction-event-notification-bypass

Scores

CVSS v3 5.3
EPSS 0.0019
EPSS Percentile 9.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (5)
npm/openclaw 0 - 2026.5.12npm
openclaw/openclaw 2026.5.12 beta1 (8 CPE variants)
OpenClaw/OpenClaw < 2026.5.12
openclaw/openclaw < 2026.5.12
OpenClaw/OpenClaw 2026.5.12
Published Jun 16, 2026
Tracked Since Jun 17, 2026