Listen to this Post
The vulnerability exists in OpenClaw versions <=2026.2.13 when Slack DMs are configured with `dmPolicy=open` . Under this configuration, the Slack slash-command handler incorrectly treats any DM sender as command-authorized, regardless of whether that user belongs to an allowlist or access group . The intended security model requires that only specific authorized users can execute privileged slash commands, but the flawed handler logic bypasses these restrictions entirely . When a Slack user sends a DM containing a slash command to the bot, the command path fails to validate the sender against the configured allowlist . Instead, it implicitly trusts any message arriving via DM channel as legitimate . This means any workspace user who can discover the bot’s Slack handle and initiate a direct message can invoke privileged operations . The flaw stems from inconsistent authorization logic across different inbound paths—while other channels properly check permissions, the DM path contains a gap where the `CommandAuthorized` check is skipped . The fix implements the same allowlist and access-group gating logic for DMs that already exists for other inbound paths, ensuring consistent authorization enforcement across all channels .
dailycve form:
Platform: OpenClaw (npm)
Version: <=2026.2.13
Vulnerability: Slack DM Authorization Bypass
Severity: Moderate
Date: 2026-02-14
Prediction: 2026-02-20
What Undercode Say
Analytics:
Check installed OpenClaw version npm list openclaw Check if running vulnerable configuration grep -r "channels.slack.dm.policy" ~/.openclaw/config/ grep -r "dmPolicy" ~/.openclaw/config/ Check Slack channel configuration cat ~/.openclaw/config/channels/slack.yaml Search for exposed instances in logs find ~/.openclaw/logs -name ".log" | xargs grep -i "slash command from DM" Verify if allowlist exists and was bypassed cat ~/.openclaw/config/auth/allowlist.yaml Monitor for unauthorized command execution tail -f ~/.openclaw/logs/audit.log | grep -i "command.DM" Quick version comparison if [ "$(npm list openclaw --depth=0 | grep openclaw@ | cut -d@ -f2)" \< "2026.2.14" ]; then echo "Vulnerable"; else echo "Patched"; fi
Exploit:
- Attacker identifies Slack workspace using OpenClaw bot with DM enabled
- Attacker sends DM to bot containing privileged slash command (e.g.,
/admin,/system,/exec)
3. Vulnerable handler accepts command without allowlist validation
4. Bot executes privileged operation with full permissions
5. Attacker gains unauthorized access to restricted functions
Protection:
1. Update to OpenClaw 2026.2.14 or later immediately
2. Set `channels.slack.dm.policy: closed` if DM not required
3. Implement strict allowlist at Slack workspace level
- Monitor audit logs for unexpected DM command execution
5. Rotate all Slack tokens if compromise suspected
6. Apply commit f19eabee54c49e9a2e264b4965edf28a2f92e657 manually if update delayed
Impact:
Any Slack user in workspace can execute privileged commands via DM, bypassing all access controls. This enables unauthorized configuration changes, data access, system command execution, and potential lateral movement through connected services . The vulnerability transforms the Slack DM channel into an unauthenticated admin interface for any workspace member who can discover the bot .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

