CVE-2026-53851

Vulnerability

A notification bypass vulnerability exists in OpenClaw before version 2026.5.12. Slack reaction events can enter the agent pipeline even when reaction notifications are disabled in the configuration, violating the intended setting [1][2]. This affects the feature that processes Slack reaction events delivered to the configured app [1].

Exploitation

An attacker who can send Slack reaction events (e.g., a user with access to react in the Slack workspace) can trigger unintended agent processing by sending reaction events when the feature is enabled [1][2]. The attacker does not need authentication to OpenClaw itself but requires the ability to post reactions in Slack channels that the OpenClaw integration monitors [1]. The vulnerability does not change the trusted-operator model; authenticated Gateway operators and installed plugins remain trusted unless separate policies are crossed [1].

Impact

Successful exploitation could lead to unauthorized processing of lower-trust input via reaction events [1][2]. The practical impact depends on the operator's configuration and whether lower-trust input can reach the agent pipeline through this path [1]. The vulnerability is primarily about circumventing notification settings rather than direct system compromise, but could enable further exploitation if combined with other weaknesses [1][2].

Mitigation

The first stable patched version is 2026.5.12 [1]. As a workaround, operators can disable or restrict Slack reaction event subscriptions until patched if this path is not needed [1]. General hardening measures include keeping channel and tool allowlists narrow, avoiding sharing one Gateway between mutually untrusted users, and disabling the affected feature when not required [1].