Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-32005

OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
Back to all
CVE

CVE-2026-32005

OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows

Impact

In shared Slack workspace deployments that rely on sender restrictions (allowFrom, DM policy, or channel user allowlists), some interactive callbacks (block_actionview_submissionview_closed) could be accepted before full sender authorization checks.

In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable versions: <= 2026.2.24
  • Patched version: 2026.2.25 (planned next npm release)

Fix Commit(s)

  • ce8c67c314b93f570f53c2a9abc124e1e3a54715

Release Process Note

patched_versions is pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.

Trust Model Scope Note

OpenClaw does not support adversarial multi-user isolation on a single shared gateway instance. The supported model is one trust boundary per gateway (separate gateways/hosts for mutually untrusted users). See: https://docs.openclaw.ai/gateway/security

OpenClaw thanks @tdjackey for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.6
-
4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr, https://nvd.nist.gov/vuln/detail/CVE-2026-32005, https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715, https://github.com/openclaw/openclaw, https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-interactive-callbacks-via-sender-check-skip

Severity

6.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
6.8
EPSS Probability
0.00036%
EPSS Percentile
0.10881%
Introduced Version
0
Fix Available
2026.2.25

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading