Christos

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 **Description** The Slack slash-command handler incorrectly authorizes any direct message sender when the `dmPolicy` is set to open. This allows attackers to execute privileged slash commands via direct message, bypassing allowlist and access-group restrictions. The issue occurs when Slack DMs are enabled with `channels.slack.dm.policy: open` (also known as `dmPolicy=open`). Any Slack user who can send a direct message to the bot could invoke privileged slash commands. **Recommendations** Update to version 2026.2.14 or later.