OpenClaw Slack allowFrom Vulnerability (GHSA-c29c-2q9c-pc86)
A high-severity vulnerability (GHSA-c29c-2q9c-pc86) in OpenClaw's handling of Slack's `allowFrom` feature could allow an attacker to gain unintended agent access by manipulating their Slack display name metadata to match a policy entry, especially in configurations where the affected feature is enabled and reachable.
The OpenClaw project has disclosed a high-severity vulnerability (GHSA-c29c-2q9c-pc86) in its allowFrom feature, which facilitates integration with Slack. This flaw, present in npm/openclaw versions up to 2026.5.3-1, allows a malicious Slack account to gain unintended agent access within OpenClaw. The vulnerability hinges on OpenClaw incorrectly binding policy entries to mutable Slack display names rather than stable user IDs. An attacker can manipulate their display name to impersonate another identity specified in an OpenClaw allowlist, thereby gaining unauthorized access. This is particularly critical for organizations using OpenClaw Gateways where this feature is enabled and where lower-trust input could influence access paths. The vulnerability does not alter OpenClaw's trusted-operator model but highlights the importance of configuration best practices.
Attack Chain
- An attacker controls a Slack account that interacts with an OpenClaw Gateway instance.
- The OpenClaw Gateway is configured with the
allowFromfeature enabled, relying on Slack display names in its access policies or allowlists. - The attacker modifies their Slack account's display name metadata to precisely match the display name of a legitimate, higher-privileged identity specified in an OpenClaw allowlist.
- The attacker's Slack account initiates a request or interaction with the vulnerable OpenClaw Gateway.
- Due to the vulnerability (GHSA-c29c-2q9c-pc86), OpenClaw's
allowFromfeature incorrectly resolves the attacker's mutable display name against its internal allowlist policy. - The OpenClaw Gateway grants the attacker's Slack account agent access, mistakenly believing it is the legitimate, authorized user.
- The attacker leverages this unintended agent access to perform unauthorized actions or gain further access within the OpenClaw environment, such as data exfiltration or command execution.
Impact
The successful exploitation of this vulnerability could lead to a malicious Slack account receiving agent access within OpenClaw that was intended for another, legitimate Slack identity. The practical severity of this impact is highly dependent on the operator's specific OpenClaw configuration, particularly whether the allowFrom feature is enabled, reachable, and if lower-trust input can influence its access decisions. While no specific victim counts or industry sectors are mentioned, organizations relying on OpenClaw for automated tasks and integrations could face unauthorized data access, command execution, or other actions enabled by the compromised agent's permissions.
Recommendation
- Immediately patch
npm/openclawto version2026.5.3or later to remediate the vulnerability. - Review and update OpenClaw allowlist configurations to use stable Slack user IDs instead of mutable display names, as suggested by the
Mitigationssection in the advisory. - Keep channel and tool allowlists as narrow as possible to minimize potential attack surface, as indicated in the
Mitigationssection. - Avoid sharing a single OpenClaw Gateway instance between mutually untrusted users or processes.
- Disable the affected
allowFromfeature when it is not strictly necessary for operational requirements.