CVE-2026-32895

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.26

Description The software does not properly enforce sender authorization in member and message subtype system event handlers. This allows unauthorized events to be enqueued, potentially bypassing Slack DM allowlists and per-channel user allowlists. Attackers can achieve this by sending system events from non-allowlisted senders through message changed, message deleted, and thread broadcast events.

Recommendations Update to version 2026.2.26 or later.