CVE-2026-32005: OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
(updated )
In shared Slack workspace deployments that rely on sender restrictions (allowFrom, DM policy, or channel user allowlists), some interactive callbacks (block_action, view_submission, view_closed) could be accepted before full sender authorization checks.
In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.
References
- github.com/advisories/GHSA-x2ff-j5c2-ggpr
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715
- github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr
- nvd.nist.gov/vuln/detail/CVE-2026-32005
- www.vulncheck.com/advisories/openclaw-authorization-bypass-in-interactive-callbacks-via-sender-check-skip
Code Behaviors & Features
Detect and mitigate CVE-2026-32005 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →