CVE-2026-28392CRITICAL 9.8EPSS p26.4%

CVE-2026-28392CVE-2026-28392

Description

OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct message to bypass allowlist and access-group restrictions.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.4% · 2026-06-19T12:03:05Z
Published2026-03-05
Last modified2026-03-10

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f92e657
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w
  3. https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-slash-command-handler-via-direct-messages

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32906
CVE
CVE-2026-32914
CVE
CVE-2026-32005
CVE
CVE-2026-28473
CVE
CVE-2026-41359
CVE
CVE-2026-31998
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.