Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Slack integration in OpenClaw may let unauthorized users send messages
GHSA-x2ff-j5c2-ggpr
Summary
If certain settings are not properly configured, an unauthorized user in a shared Slack workspace using OpenClaw may be able to send messages to active sessions. This issue does not grant full access or escalate privileges, but can still cause problems. To fix this, update to OpenClaw version 2026.2.25 or later.
What to do
- Update openclaw to version 2026.2.25.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.24 | 2026.2.25 |
Original title
OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
Original description
## Impact
In shared Slack workspace deployments that rely on sender restrictions (`allowFrom`, DM policy, or channel user allowlists), some interactive callbacks (`block_action`, `view_submission`, `view_closed`) could be accepted before full sender authorization checks.
In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.24`
- Patched version: `2026.2.25` (planned next npm release)
## Fix Commit(s)
- `ce8c67c314b93f570f53c2a9abc124e1e3a54715`
## Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
## Trust Model Scope Note
OpenClaw does not support adversarial multi-user isolation on a single shared gateway instance. The supported model is one trust boundary per gateway (separate gateways/hosts for mutually untrusted users). See: https://docs.openclaw.ai/gateway/security
OpenClaw thanks @tdjackey for reporting.
In shared Slack workspace deployments that rely on sender restrictions (`allowFrom`, DM policy, or channel user allowlists), some interactive callbacks (`block_action`, `view_submission`, `view_closed`) could be accepted before full sender authorization checks.
In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.24`
- Patched version: `2026.2.25` (planned next npm release)
## Fix Commit(s)
- `ce8c67c314b93f570f53c2a9abc124e1e3a54715`
## Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
## Trust Model Scope Note
OpenClaw does not support adversarial multi-user isolation on a single shared gateway instance. The supported model is one trust boundary per gateway (separate gateways/hosts for mutually untrusted users). See: https://docs.openclaw.ai/gateway/security
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
7.1
Vulnerability type
CWE-863
Incorrect Authorization
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026