{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/npm/openclaw--2026.5.3-1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm/openclaw (\u003c= 2026.5.3-1)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","cloud","npm"],"_cs_type":"advisory","_cs_vendors":["Slack","OpenClaw"],"content_html":"\u003cp\u003eThe OpenClaw project has disclosed a high-severity vulnerability (GHSA-c29c-2q9c-pc86) in its \u003ccode\u003eallowFrom\u003c/code\u003e feature, which facilitates integration with Slack. This flaw, present in \u003ccode\u003enpm/openclaw\u003c/code\u003e versions up to \u003ccode\u003e2026.5.3-1\u003c/code\u003e, allows a malicious Slack account to gain unintended agent access within OpenClaw. The vulnerability hinges on OpenClaw incorrectly binding policy entries to mutable Slack display names rather than stable user IDs. An attacker can manipulate their display name to impersonate another identity specified in an OpenClaw allowlist, thereby gaining unauthorized access. This is particularly critical for organizations using OpenClaw Gateways where this feature is enabled and where lower-trust input could influence access paths. The vulnerability does not alter OpenClaw's trusted-operator model but highlights the importance of configuration best practices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker controls a Slack account that interacts with an OpenClaw Gateway instance.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw Gateway is configured with the \u003ccode\u003eallowFrom\u003c/code\u003e feature enabled, relying on Slack display names in its access policies or allowlists.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies their Slack account's display name metadata to precisely match the display name of a legitimate, higher-privileged identity specified in an OpenClaw allowlist.\u003c/li\u003e\n\u003cli\u003eThe attacker's Slack account initiates a request or interaction with the vulnerable OpenClaw Gateway.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability (GHSA-c29c-2q9c-pc86), OpenClaw's \u003ccode\u003eallowFrom\u003c/code\u003e feature incorrectly resolves the attacker's mutable display name against its internal allowlist policy.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw Gateway grants the attacker's Slack account agent access, mistakenly believing it is the legitimate, authorized user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this unintended agent access to perform unauthorized actions or gain further access within the OpenClaw environment, such as data exfiltration or command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability could lead to a malicious Slack account receiving agent access within OpenClaw that was intended for another, legitimate Slack identity. The practical severity of this impact is highly dependent on the operator's specific OpenClaw configuration, particularly whether the \u003ccode\u003eallowFrom\u003c/code\u003e feature is enabled, reachable, and if lower-trust input can influence its access decisions. While no specific victim counts or industry sectors are mentioned, organizations relying on OpenClaw for automated tasks and integrations could face unauthorized data access, command execution, or other actions enabled by the compromised agent's permissions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch \u003ccode\u003enpm/openclaw\u003c/code\u003e to version \u003ccode\u003e2026.5.3\u003c/code\u003e or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and update OpenClaw allowlist configurations to use stable Slack user IDs instead of mutable display names, as suggested by the \u003ccode\u003eMitigations\u003c/code\u003e section in the advisory.\u003c/li\u003e\n\u003cli\u003eKeep channel and tool allowlists as narrow as possible to minimize potential attack surface, as indicated in the \u003ccode\u003eMitigations\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eAvoid sharing a single OpenClaw Gateway instance between mutually untrusted users or processes.\u003c/li\u003e\n\u003cli\u003eDisable the affected \u003ccode\u003eallowFrom\u003c/code\u003e feature when it is not strictly necessary for operational requirements.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:04:25Z","date_published":"2026-07-03T12:04:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-slack-allowfrom-vulnerability/","summary":"A high-severity vulnerability (GHSA-c29c-2q9c-pc86) in OpenClaw's handling of Slack's `allowFrom` feature could allow an attacker to gain unintended agent access by manipulating their Slack display name metadata to match a policy entry, especially in configurations where the affected feature is enabled and reachable.","title":"OpenClaw Slack allowFrom Vulnerability (GHSA-c29c-2q9c-pc86)","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-slack-allowfrom-vulnerability/"}],"language":"en","title":"CraftedSignal Threat Feed - Npm/Openclaw (\u003c= 2026.5.3-1)","version":"https://jsonfeed.org/version/1.1"}