TROYANOSYVIRUS
Back to CVEs

CVE-2026-28392

HIGH
7.5

Description

OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct message to bypass allowlist and access-group restrictions.

CVE Details

CVSS v3.1 Score7.5
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published3/5/2026
Last Modified3/10/2026
Sourcenvd
Honeypot Sightings0

Affected Products

openclaw:openclaw

Weaknesses (CWE)

CWE-863

References

https://github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f92e657(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-slash-command-handler-via-direct-messages(disclosure@vulncheck.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.