2 matches found
Improper Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authorization via the slash-command handler. An attacker can execute privileged commands by sending direct messages to the bot, bypassing intended allowlist or access-group...
OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands
Summary When Slack DMs are configured with dmPolicy=open, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions...