Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin actions outside operator configuration.
AnalysisAI
Privilege escalation in OpenClaw's Slack plugin approval workflow allows authenticated users holding limited exec permissions to bypass operator-configured approval splits by resolving plugin approvals through the exec approver gate - approving actions outside their intended authorization boundary. All OpenClaw versions before 2026.5.12 are affected when the Slack plugin is deployed with approval split configurations. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 2.3 accurately reflects its narrow real-world impact, constrained by prerequisites and a low impact ceiling.
Technical ContextAI
OpenClaw implements a multi-party authorization model for Slack plugin actions using configurable 'approval splits' - operator-defined gates that distribute resolution authority among distinct roles to enforce separation of duties. The exec approver gate is one such gate, intended for a specific tier of approval authority. CWE-863 (Incorrect Authorization) describes the root cause: the system incorrectly evaluates whether an exec-authorized user holds sufficient rights to resolve approvals through that gate, failing to enforce the operator-intended split. The CVSS 4.0 AT:P (Attack Requirements: Present) metric directly encodes that the vulnerability is only reachable under a specific deployment configuration - Slack plugin active with approval splits configured. No CPE strings were provided in the available intelligence; affected scope is derived from the vendor advisory and description alone.
RemediationAI
Upgrade to OpenClaw 2026.5.12 or later, which resolves the incorrect authorization in the exec approver gate per the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-wv26-j37q-2g7p. For deployments that cannot immediately upgrade, restrict exec approval permissions to only fully trusted personnel, which eliminates the risk surface by ensuring no potentially malicious insider holds exec-level authorization. Operators should also audit existing Slack plugin approval split configurations to verify that sensitive plugin actions require approval from roles beyond the exec gate alone - adding a secondary, independent approval role as a workaround trade-off (increased approval friction in exchange for authorization boundary enforcement). Note that disabling the Slack plugin entirely removes the attack surface without affecting non-Slack functionality.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33333
GHSA-6c56-hgvp-5v87