CVE-2026-32895: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers
(updated )
Slack member_* and message subtype system events (message_changed, message_deleted, thread_broadcast) were not consistently enforcing sender authorization before enqueueing system events.
References
- github.com/advisories/GHSA-v8cg-4474-49v8
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/3d30ba18a2aba1e1b302e77ff33145c3b06c01c8
- github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8
- nvd.nist.gov/vuln/detail/CVE-2026-32895
- www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-in-slack-system-event-handlers
Code Behaviors & Features
Detect and mitigate CVE-2026-32895 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →