CVE-2026-28392 Overview
CVE-2026-28392 is a privilege escalation vulnerability in OpenClaw versions prior to 2026.2.14. The vulnerability exists in the Slack slash-command handler, which incorrectly authorizes any direct message sender when dmPolicy is set to open (a configuration that must be explicitly enabled). This authorization bypass allows attackers to execute privileged slash commands via direct message, effectively bypassing allowlist and access-group restrictions designed to protect sensitive operations.
Critical Impact
Attackers can bypass authorization controls in OpenClaw's Slack integration, executing privileged slash commands without proper access-group membership or allowlist approval.
Affected Products
- OpenClaw versions prior to 2026.2.14
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28392 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28392
Vulnerability Analysis
This vulnerability is classified under CWE-863 (Incorrect Authorization). The flaw stems from flawed authorization logic in the Slack slash-command handler when processing direct messages. When the dmPolicy configuration is set to open, the handler incorrectly assumes all direct message senders are authorized to execute privileged slash commands, bypassing the intended allowlist and access-group restriction mechanisms.
The vulnerability is network-exploitable but requires a specific configuration (dmPolicy set to open) to be present, which introduces an attack prerequisite condition. When exploitable, the impact is primarily on the integrity of the system as unauthorized users can execute privileged operations.
Root Cause
The root cause lies in the initialization of the commandAuthorized variable in the slash-command handler logic. The vulnerable code initializes commandAuthorized to true by default, rather than computing it based on actual authorization checks. When processing direct messages with dmPolicy set to open, the handler fails to properly validate whether the sender has appropriate privileges, allowing any DM sender to be treated as authorized.
Attack Vector
An attacker can exploit this vulnerability by:
- Identifying an OpenClaw instance with Slack integration enabled and dmPolicy configured as open
- Sending a direct message to the OpenClaw bot containing privileged slash commands
- Bypassing allowlist and access-group restrictions that would normally prevent execution
- Executing privileged operations without proper authorization
The attack requires network access to the Slack workspace where OpenClaw is integrated and knowledge that the target has the vulnerable dmPolicy configuration enabled.
const effectiveAllowFrom = normalizeAllowList([...ctx.allowFrom, ...storeAllowFrom]);
const effectiveAllowFromLower = normalizeAllowListLower(effectiveAllowFrom);
- let commandAuthorized = true;
+ // Privileged command surface: compute CommandAuthorized, don't assume true.
+ // Keep this aligned with the Slack message path (message-handler/prepare.ts).
+ let commandAuthorized = false;
let channelConfig: SlackChannelConfigResolved | null = null;
if (isDirectMessage) {
if (!ctx.dmEnabled || ctx.dmPolicy === "disabled") {
Source: GitHub Commit Update
Detection Methods for CVE-2026-28392
Indicators of Compromise
- Unexpected or unauthorized slash command executions originating from direct messages in Slack audit logs
- Slash commands executed by users not present in configured allowlists or access-groups
- Unusual patterns of direct message activity targeting the OpenClaw bot
Detection Strategies
- Review Slack workspace audit logs for slash command executions via direct messages to OpenClaw bots
- Monitor for privileged operations executed by users not in authorized access-groups
- Implement alerting on DM-based slash command activity when dmPolicy is configured as open
Monitoring Recommendations
- Enable detailed logging for all slash command handler activity in OpenClaw
- Configure alerting for any privileged slash command execution via direct message channels
- Periodically audit dmPolicy configuration settings across all OpenClaw instances
How to Mitigate CVE-2026-28392
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Review current dmPolicy configuration settings and consider setting to disabled if direct message functionality is not required
- Audit Slack logs for any suspicious slash command activity via direct messages
- Review and verify access-group memberships and allowlist configurations
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.14. The fix modifies the authorization logic in src/slack/monitor/slash.ts to initialize commandAuthorized to false by default and compute proper authorization instead of assuming all DM senders are authorized. For technical details, see the GitHub Security Advisory and commit f19eabee54c49e9a2e264b4965edf28a2f92e657.
Workarounds
- Set dmPolicy to disabled to prevent all direct message slash command processing until patching is possible
- Restrict Slack workspace membership to trusted users only as an interim measure
- Implement additional logging and monitoring on slash command activity to detect exploitation attempts
# Configuration example
# Disable DM-based slash commands in OpenClaw configuration
# In your OpenClaw config file (e.g., config.yaml or environment variables):
OPENCLAW_DM_POLICY=disabled
# Or in configuration file:
# slack:
# dmPolicy: disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
