Skip to content
Threat Feed
high advisory

OpenClaw Slack allowFrom Vulnerability (GHSA-c29c-2q9c-pc86)

A high-severity vulnerability (GHSA-c29c-2q9c-pc86) in OpenClaw's handling of Slack's `allowFrom` feature could allow an attacker to gain unintended agent access by manipulating their Slack display name metadata to match a policy entry, especially in configurations where the affected feature is enabled and reachable.

The OpenClaw project has disclosed a high-severity vulnerability (GHSA-c29c-2q9c-pc86) in its allowFrom feature, which facilitates integration with Slack. This flaw, present in npm/openclaw versions up to 2026.5.3-1, allows a malicious Slack account to gain unintended agent access within OpenClaw. The vulnerability hinges on OpenClaw incorrectly binding policy entries to mutable Slack display names rather than stable user IDs. An attacker can manipulate their display name to impersonate another identity specified in an OpenClaw allowlist, thereby gaining unauthorized access. This is particularly critical for organizations using OpenClaw Gateways where this feature is enabled and where lower-trust input could influence access paths. The vulnerability does not alter OpenClaw's trusted-operator model but highlights the importance of configuration best practices.

Attack Chain

  1. An attacker controls a Slack account that interacts with an OpenClaw Gateway instance.
  2. The OpenClaw Gateway is configured with the allowFrom feature enabled, relying on Slack display names in its access policies or allowlists.
  3. The attacker modifies their Slack account's display name metadata to precisely match the display name of a legitimate, higher-privileged identity specified in an OpenClaw allowlist.
  4. The attacker's Slack account initiates a request or interaction with the vulnerable OpenClaw Gateway.
  5. Due to the vulnerability (GHSA-c29c-2q9c-pc86), OpenClaw's allowFrom feature incorrectly resolves the attacker's mutable display name against its internal allowlist policy.
  6. The OpenClaw Gateway grants the attacker's Slack account agent access, mistakenly believing it is the legitimate, authorized user.
  7. The attacker leverages this unintended agent access to perform unauthorized actions or gain further access within the OpenClaw environment, such as data exfiltration or command execution.

Impact

The successful exploitation of this vulnerability could lead to a malicious Slack account receiving agent access within OpenClaw that was intended for another, legitimate Slack identity. The practical severity of this impact is highly dependent on the operator's specific OpenClaw configuration, particularly whether the allowFrom feature is enabled, reachable, and if lower-trust input can influence its access decisions. While no specific victim counts or industry sectors are mentioned, organizations relying on OpenClaw for automated tasks and integrations could face unauthorized data access, command execution, or other actions enabled by the compromised agent's permissions.

Recommendation

  • Immediately patch npm/openclaw to version 2026.5.3 or later to remediate the vulnerability.
  • Review and update OpenClaw allowlist configurations to use stable Slack user IDs instead of mutable display names, as suggested by the Mitigations section in the advisory.
  • Keep channel and tool allowlists as narrow as possible to minimize potential attack surface, as indicated in the Mitigations section.
  • Avoid sharing a single OpenClaw Gateway instance between mutually untrusted users or processes.
  • Disable the affected allowFrom feature when it is not strictly necessary for operational requirements.