GHSA-v8cg-4474-49v8: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers

March 12, 2026

Slack member_* and message subtype system events (message_changed, message_deleted, thread_broadcast) were not consistently enforcing sender authorization before enqueueing system events.

References

github.com/advisories/GHSA-v8cg-4474-49v8
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/3d30ba18a2aba1e1b302e77ff33145c3b06c01c8
github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8

Code Behaviors & Features

Detect and mitigate GHSA-v8cg-4474-49v8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →