High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 10, 2026
OpenClaw < 2026.2.14 - Privilege Escalation in Slack Slash Command Handler via Direct Messages
CVE-2026-28392
Description
OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct message to bypass allowlist and access-group restrictions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.14 | 2026.2.14 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f92e657ghsapatchWEB
- github.com/advisories/GHSA-v773-r54f-q32wghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32wghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-28392ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-slash-command-handler-via-direct-messagesghsathird-party-advisoryWEB
- github.com/openclaw/openclaw/releases/tag/v2026.2.14ghsaWEB
News mentions
0No linked articles in our index yet.