OpenClaw: privilege escalation bypasses Slack plugin approval gate — MEDIUM (CVE-2026-32906)

CISO Take

OpenClaw before 2026.5.12 contains an authorization flaw (CWE-863) in its Slack plugin approval workflow that allows users with limited exec permissions to resolve plugin approvals through the exec approver gate, circumventing operator-configured approval splits. In AI agent environments, plugin approval gates are a critical human-in-the-loop control; bypassing them means a low-privileged attacker can authorize arbitrary agent tool invocations outside operator policy — a blast radius the CVSS 4.3 score does not fully capture. No public exploit exists and the CVE is absent from the CISA KEV catalog, placing immediate exploitation risk at low-to-moderate, but the flaw is trivially exploitable by any user with an existing exec-tier account. Upgrade to OpenClaw 2026.5.12 immediately and audit recent plugin approval logs for exec-gate approvals inconsistent with operator-configured splits.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity by CVSS (4.3), but contextually elevated in agentic AI deployments. The network-accessible, low-privilege, no-user-interaction attack profile means any exec-tier account holder is a potential threat vector. Plugin approvals in agent frameworks commonly gate high-consequence actions — external API calls, data writes, privileged tool invocations — making the real-world impact of a bypass potentially far exceeding the C:L/I:N/A:N formal CVSS rating. No KEV listing, no public exploit, and no EPSS data keep this at medium priority, but organizations with broad exec approval role assignments should treat this as high internally.

Attack Kill Chain

Initial Access

Attacker authenticates to OpenClaw using a valid account with limited exec approval permissions — no credential theft required.

AML.T0012

Authorization Bypass

Attacker exploits CWE-863 to route a plugin approval request through the exec approver gate, circumventing the operator-configured approval split that should block this action.

AML.T0107

Unauthorized Tool Invocation

With the forged approval accepted, the OpenClaw AI agent invokes the Slack plugin action as if it had full operator authorization.

AML.T0053

Impact

Agent executes an unauthorized plugin action — accessing external APIs, triggering downstream automated workflows, or performing data operations — outside the scope the operator intended to permit.

AML.T0048

Initial Access

Attacker authenticates to OpenClaw using a valid account with limited exec approval permissions — no credential theft required.

AML.T0012

Authorization Bypass

Attacker exploits CWE-863 to route a plugin approval request through the exec approver gate, circumventing the operator-configured approval split that should block this action.

AML.T0107

Unauthorized Tool Invocation

With the forged approval accepted, the OpenClaw AI agent invokes the Slack plugin action as if it had full operator authorization.

AML.T0053

Impact

Agent executes an unauthorized plugin action — accessing external APIs, triggering downstream automated workflows, or performing data operations — outside the scope the operator intended to permit.

AML.T0048

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch
4 dependents 87% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

4.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Upgrade OpenClaw to version 2026.5.12 or later immediately — this is the only full remediation.
Until patched, audit and minimize exec approval role assignments; remove any users who do not strictly require exec-tier approval rights.
Review plugin approval audit logs for approvals resolved via the exec approver gate that fall outside expected operator-configuration patterns — treat anomalies as potential exploitation.
Consider temporarily disabling Slack plugin approval integration and requiring out-of-band manual approvals until the patch is deployed.
Consult GHSA-wv26-j37q-2g7p and the VulnCheck advisory for vendor-specific workaround guidance and affected configuration details.

Classification

Auth Bypass Code Execution Agent Plugin AML.T0012 - Valid Accounts AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 14 - Human oversight

ISO 42001

A.6.2.3 - Access control for AI systems

NIST AI RMF

GOVERN 1.7 - Processes and procedures for AI risk management

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-32906?

OpenClaw before 2026.5.12 contains an authorization flaw (CWE-863) in its Slack plugin approval workflow that allows users with limited exec permissions to resolve plugin approvals through the exec approver gate, circumventing operator-configured approval splits. In AI agent environments, plugin approval gates are a critical human-in-the-loop control; bypassing them means a low-privileged attacker can authorize arbitrary agent tool invocations outside operator policy — a blast radius the CVSS 4.3 score does not fully capture. No public exploit exists and the CVE is absent from the CISA KEV catalog, placing immediate exploitation risk at low-to-moderate, but the flaw is trivially exploitable by any user with an existing exec-tier account. Upgrade to OpenClaw 2026.5.12 immediately and audit recent plugin approval logs for exec-gate approvals inconsistent with operator-configured splits.

Is CVE-2026-32906 actively exploited?

No confirmed active exploitation of CVE-2026-32906 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-32906?

1. Upgrade OpenClaw to version 2026.5.12 or later immediately — this is the only full remediation. 2. Until patched, audit and minimize exec approval role assignments; remove any users who do not strictly require exec-tier approval rights. 3. Review plugin approval audit logs for approvals resolved via the exec approver gate that fall outside expected operator-configuration patterns — treat anomalies as potential exploitation. 4. Consider temporarily disabling Slack plugin approval integration and requiring out-of-band manual approvals until the patch is deployed. 5. Consult GHSA-wv26-j37q-2g7p and the VulnCheck advisory for vendor-specific workaround guidance and affected configuration details.

What systems are affected by CVE-2026-32906?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, plugin approval workflows, human-in-the-loop control planes.

What is the CVSS score for CVE-2026-32906?

CVE-2026-32906 has a CVSS v3.1 base score of 4.3 (MEDIUM).

AI Security Impact

Affected AI Architectures

agent frameworksplugin approval workflowshuman-in-the-loop control planes

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 14

ISO 42001: A.6.2.3

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM08:2025

Technical Details

Original Advisory

OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin actions outside operator configuration.

Exploitation Scenario

An attacker holds a legitimate but limited exec approval account in an OpenClaw deployment — for example, a developer scoped to a specific workflow. Recognizing the approval bypass flaw, they submit a plugin approval request for an action outside their permitted scope and route it through the exec approver gate rather than the intended operator-level gate. The authorization check incorrectly accepts this approval, causing the OpenClaw AI agent to invoke the Slack plugin action as if it had full operator sanction. The attacker needs no special tooling or elevated network access — only their existing credentials and knowledge that the approval split can be bypassed via the exec gate path.