<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Npm/Openclaw (&lt;= 2026.5.3-1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/npm/openclaw--2026.5.3-1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:04:25 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/npm/openclaw--2026.5.3-1/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Slack allowFrom Vulnerability (GHSA-c29c-2q9c-pc86)</title><link>https://feed.craftedsignal.io/briefs/2026-07-openclaw-slack-allowfrom-vulnerability/</link><pubDate>Fri, 03 Jul 2026 12:04:25 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openclaw-slack-allowfrom-vulnerability/</guid><description>A high-severity vulnerability (GHSA-c29c-2q9c-pc86) in OpenClaw's handling of Slack's `allowFrom` feature could allow an attacker to gain unintended agent access by manipulating their Slack display name metadata to match a policy entry, especially in configurations where the affected feature is enabled and reachable.</description><content:encoded><![CDATA[<p>The OpenClaw project has disclosed a high-severity vulnerability (GHSA-c29c-2q9c-pc86) in its <code>allowFrom</code> feature, which facilitates integration with Slack. This flaw, present in <code>npm/openclaw</code> versions up to <code>2026.5.3-1</code>, allows a malicious Slack account to gain unintended agent access within OpenClaw. The vulnerability hinges on OpenClaw incorrectly binding policy entries to mutable Slack display names rather than stable user IDs. An attacker can manipulate their display name to impersonate another identity specified in an OpenClaw allowlist, thereby gaining unauthorized access. This is particularly critical for organizations using OpenClaw Gateways where this feature is enabled and where lower-trust input could influence access paths. The vulnerability does not alter OpenClaw's trusted-operator model but highlights the importance of configuration best practices.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker controls a Slack account that interacts with an OpenClaw Gateway instance.</li>
<li>The OpenClaw Gateway is configured with the <code>allowFrom</code> feature enabled, relying on Slack display names in its access policies or allowlists.</li>
<li>The attacker modifies their Slack account's display name metadata to precisely match the display name of a legitimate, higher-privileged identity specified in an OpenClaw allowlist.</li>
<li>The attacker's Slack account initiates a request or interaction with the vulnerable OpenClaw Gateway.</li>
<li>Due to the vulnerability (GHSA-c29c-2q9c-pc86), OpenClaw's <code>allowFrom</code> feature incorrectly resolves the attacker's mutable display name against its internal allowlist policy.</li>
<li>The OpenClaw Gateway grants the attacker's Slack account agent access, mistakenly believing it is the legitimate, authorized user.</li>
<li>The attacker leverages this unintended agent access to perform unauthorized actions or gain further access within the OpenClaw environment, such as data exfiltration or command execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this vulnerability could lead to a malicious Slack account receiving agent access within OpenClaw that was intended for another, legitimate Slack identity. The practical severity of this impact is highly dependent on the operator's specific OpenClaw configuration, particularly whether the <code>allowFrom</code> feature is enabled, reachable, and if lower-trust input can influence its access decisions. While no specific victim counts or industry sectors are mentioned, organizations relying on OpenClaw for automated tasks and integrations could face unauthorized data access, command execution, or other actions enabled by the compromised agent's permissions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch <code>npm/openclaw</code> to version <code>2026.5.3</code> or later to remediate the vulnerability.</li>
<li>Review and update OpenClaw allowlist configurations to use stable Slack user IDs instead of mutable display names, as suggested by the <code>Mitigations</code> section in the advisory.</li>
<li>Keep channel and tool allowlists as narrow as possible to minimize potential attack surface, as indicated in the <code>Mitigations</code> section.</li>
<li>Avoid sharing a single OpenClaw Gateway instance between mutually untrusted users or processes.</li>
<li>Disable the affected <code>allowFrom</code> feature when it is not strictly necessary for operational requirements.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>supply-chain</category><category>cloud</category><category>npm</category></item></channel></rss>