3 matches found
CVE-2026-32895 OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers
OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted sender...
CVE-2026-32895 OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers
OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted sender...
OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers
Summary Slack member and message subtype system events messagechanged, messagedeleted, threadbroadcast were not consistently enforcing sender authorization before enqueueing system events. Affected Packages / Versions - Package: openclaw npm - Latest published version: 2026.2.25 - Affected range:...