GHSA-x2ff-j5c2-ggpr: OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows

March 4, 2026

In shared Slack workspace deployments that rely on sender restrictions (allowFrom, DM policy, or channel user allowlists), some interactive callbacks (block_action, view_submission, view_closed) could be accepted before full sender authorization checks.

In that scenario, an unauthorized workspace member could enqueue system-event text into an active session. This issue did not provide unauthenticated access, cross-gateway isolation bypass, or host-level privilege escalation by itself.

References

github.com/advisories/GHSA-x2ff-j5c2-ggpr
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715
github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr

Code Behaviors & Features

Detect and mitigate GHSA-x2ff-j5c2-ggpr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →