Main Vulnerability Database Vulnerabilities #VU132731

Authentication Bypass by Spoofing in OpenClaw - #VU132731

Published: May 29, 2026

Vulnerability identifier: #VU132731

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-290

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to gain access to an agent intended for another Slack identity.

The vulnerability exists due to authentication bypass by spoofing in the Slack allowFrom feature when matching policy entries against mutable display name metadata. A remote user can change Slack display name metadata to gain access to an agent intended for another Slack identity.

Only configurations with the affected feature enabled and reachable are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-c29c-2q9c-pc86

Authentication Bypass by Spoofing in OpenClaw - #VU132731

Detailed vulnerability description

Remediation

Sources

Please verify you're human