Description
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.
Published: 2026-04-23
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized model context manipulation
Action: Patch
AI Analysis

Impact

This vulnerability occurs because OpenClaw does not apply the sender allowlist when filtering Slack thread context. As a result, messages from users who are not on the allowlist can be included in the context supplied to the language model. An attacker can exploit this by sending a message through a reply that appears to come from an allowlisted user, thereby injecting unauthorized content into the model’s context and potentially manipulating the model’s responses or causing it to reveal sensitive information. This flaw aligns with CWE‑346, which concerns missing validation of a security‑relevant credential.

Affected Systems

The affected product is OpenClaw by OpenClaw. Versions before 2026.4.2 are vulnerable. No additional vendor or product versions are listed.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity, and the EPSS score of less than 1 % and absence from the CISA KEV catalog suggest that exploitation is unlikely in the wild. However, the attack likely requires the ability to post messages on a Slack channel that the OpenClaw instance monitors and to do so via an allowlisted user’s reply. If these conditions are met, the attacker can manipulate the model’s context without elevating privileges. The overall risk remains low, but the impact on model integrity warrants attention.

Generated by OpenCVE AI on April 28, 2026 at 07:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.4.2 or later
  • If an upgrade cannot be performed immediately, disable or restrict the Slack thread context feature, or limit the integration to only allowlisted users
  • Verify that the allowlist configuration is strictly maintained and does not unintentionally include non‑authorized users

Generated by OpenCVE AI on April 28, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qm77-8qjp-4vcm OpenClaw: Slack thread context could include messages from non-allowlisted senders
History

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.
Title OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-346
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T16:34:31.555Z

Reserved: 2026-04-20T14:07:26.649Z

Link: CVE-2026-41358

cve-icon Vulnrichment

Updated: 2026-04-24T16:34:27.732Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:43.350

Modified: 2026-05-01T20:23:58.937

Link: CVE-2026-41358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses