CVE-2026-28392

OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open must be configured. Attackers can execute privileged slash commands via direct message to bypass...

EUVD-2026-9892

OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open must be configured. Attackers can execute privileged slash commands via direct message to bypass...

CVE-2026-28392

OpenClaw Slack slash-command handler in OpenClaw versions prior to 2026.2.14 contains a privilege-escalation flaw. When dmPolicy is set to open, direct messages are incorrectly authorized, allowing attackers to execute privileged slash commands via DM and bypass allowlist/ access-group restrictio...

OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands

Summary When Slack DMs are configured with dmPolicy=open, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions...

PT-2024-35709 · Unknown · Home-Gallery.Org

Name of the Vulnerable Software and Affected Versions: Home-Gallery.org versions 1.15.0 and earlier Description: Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. An open CORS policy in app.js may allow an attacker to view the images of home-gallery...