CVE-2026-32895
Authorization Bypass in OpenClaw System Event Handlers Enables Unauthorized Messaging
Publication date: 2026-03-21
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32895 is a vulnerability in OpenClaw versions prior to 2026.2.26 where the system fails to enforce sender authorization in Slack system event handlers related to member and message subtype events.'}, {'type': 'paragraph', 'content': 'Specifically, unauthorized users can enqueue system events such as message_changed, message_deleted, and thread_broadcast without proper permission checks.'}, {'type': 'paragraph', 'content': "This happens because the system does not verify the sender's identity and permissions before processing these events, allowing attackers to bypass Slack direct message (DM) allowlists and per-channel user allowlists."}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows unauthorized actors to inject Slack system events that should be restricted, potentially leading to unauthorized actions within Slack channels.
- Bypassing DM allowlists means attackers can send system events in direct messages where they are not permitted.
- Bypassing per-channel user allowlists means attackers can trigger events in channels where they are not authorized.
Such unauthorized events could disrupt channel membership information or message states, potentially causing confusion, misinformation, or unauthorized visibility of channel activities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate CVE-2026-32895, you should upgrade OpenClaw to version 2026.2.26 or later, which includes a fix that enforces strict sender authorization for Slack system events.'}, {'type': 'list_item', 'content': 'Ensure that the OpenClaw system event handlers for member and message subtype events use the updated authorization function `authorizeAndResolveSlackSystemEventContext` to verify sender identity and permissions.'}, {'type': 'list_item', 'content': 'Configure your Slack direct message (DM) policies (`dmPolicy`) appropriately, using "allowlist" mode to restrict events to authorized senders or "disabled" to block member and message subtype events in DMs.'}, {'type': 'list_item', 'content': 'Enforce per-channel user allowlists to block events from unauthorized users outside the allowed list.'}, {'type': 'paragraph', 'content': 'These steps prevent unauthorized injection of Slack system events by ensuring that only authorized senders can enqueue such events.'}] [1, 2]