Description
OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3.
Published: 2026-02-19
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

OpenClaw, a locally run AI assistant, incorporates Slack channel metadata into its system prompt when the Slack integration is enabled. This design allows an attacker to inject malicious content through the channel’s topic or description, causing the language model to execute unintended commands. The vulnerability is a form of code injection, mapped to CWE-74 and CWE-94, and provides a direct pathway to arbitrary code execution on the host running OpenClaw.

Affected Systems

The flaw affects OpenClaw versions 2026.2.2 and earlier, including the original Clawdbot release. The software runs on Node.js environments and is distributed via the openclaw GitHub repository. The issue is specific to installations that have enabled the Slack integration.

Risk and Exploitability

The CVSS score of 3.7 indicates low to moderate severity, yet the impact of remote code execution cannot be ignored. The EPSS score of less than 1% suggests a low probability of active exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker who gains the ability to post or edit a Slack channel’s topic or description can trigger the injection, potentially compromising the entire host machine. Prompt mitigation is advised to prevent any potential compromise.

Generated by OpenCVE AI on April 17, 2026 at 18:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.2.3 or later, which removes the injection surface.
  • If an immediate upgrade is not possible, disable the Slack integration until the update is applied to eliminate the attack vector.
  • Audit existing Slack channel topics and descriptions for suspicious content before allowing the Slack integration to operate normally.

Generated by OpenCVE AI on April 17, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-782p-5fr5-7fj8 OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions
History

Thu, 19 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Clawdbot
Clawdbot clawdbot
Vendors & Products Clawdbot
Clawdbot clawdbot

Thu, 19 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3.
Title OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions
Weaknesses CWE-74
CWE-94
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Clawdbot Clawdbot
Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T17:45:16.959Z

Reserved: 2026-01-26T21:06:47.867Z

Link: CVE-2026-24764

cve-icon Vulnrichment

Updated: 2026-02-19T17:05:04.460Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T07:17:44.957

Modified: 2026-02-19T18:30:39.867

Link: CVE-2026-24764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses