Improper Neutralization of Special Elements in Output Used by a Downstream Component in OpenClaw - CVE-2026-24764
Published: May 4, 2026
Vulnerability identifier: #VU129502
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-24764
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote user to influence system prompts and disclose sensitive information or modify model behavior.
The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the Slack integration when incorporating Slack channel metadata into the model's system prompt. A remote user can control a channel topic or description to influence system prompts and disclose sensitive information or modify model behavior.
User interaction is required, and the issue is present only when the Slack integration is enabled.
Remediation
Install security update from vendor's website.