CVE-2026-32895

MEDIUM5.4EPSS 0.04%

OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers

發布日:2026/3/12修改日:2026/3/30

描述

### Summary Slack `member_*` and `message` subtype system events (`message_changed`, `message_deleted`, `thread_broadcast`) were not consistently enforcing sender authorization before enqueueing system events. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published version: `2026.2.25` - Affected range: `<= 2026.2.25` - Planned patched version: `2026.2.26` (pre-set for publish-readiness) ### Technical Details Slack system-event handlers in `src/slack/monitor/events/members.ts` and `src/slack/monitor/events/messages.ts` enqueued events after channel checks without shared sender authorization. Deployments relying on Slack DM allowlists (`dmPolicy` / `allowFrom`) or per-channel `users` allowlists could receive unauthorized system-event ingress from non-allowlisted senders. The fix routes those handlers through `authorizeAndResolveSlackSystemEventContext(...)` and fails closed when message subtype sender identity cannot be resolved. ### Fix Commit(s) - `3d30ba18a2aba1e1b302e77ff33145c3b06c01c8` ### Release Process Note `patched_versions` is pre-set to `>= 2026.2.26` so once npm `2026.2.26` is published, this advisory can be published without further field edits. Thanks @tdjackey for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1MEDIUM5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

參考連結(5)