CVE-2026-28392

OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open must be configured. Attackers can execute privileged slash commands via direct message to bypass...

CVE-2026-28392

OpenClaw Slack slash-command handler in OpenClaw versions prior to 2026.2.14 contains a privilege-escalation flaw. When dmPolicy is set to open, direct messages are incorrectly authorized, allowing attackers to execute privileged slash commands via DM and bypass allowlist/ access-group restrictio...

EUVD-2026-9892

OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open must be configured. Attackers can execute privileged slash commands via direct message to bypass...

OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands

Summary When Slack DMs are configured with dmPolicy=open, the Slack slash-command handler incorrectly treated any DM sender as command-authorized. This allowed any Slack user who could DM the bot to execute privileged slash commands via DM, bypassing intended allowlist/access-group restrictions...

PT-2024-35709 · Unknown · Home-Gallery.Org

Name of the Vulnerable Software and Affected Versions: Home-Gallery.org versions 1.15.0 and earlier Description: Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. An open CORS policy in app.js may allow an attacker to view the images of home-gallery...