AI Threat Alert AI Threat Alert

CVE-2026-41358

GHSA-qm77-8qjp-4vcm MEDIUM
Published May 4, 2026

## Summary Before OpenClaw 2026.4.2, Slack thread starter and thread-history context fetched through the API was not filtered by the effective sender allowlist. Messages from non-allowlisted senders could still enter the agent context when an allowlisted user replied in the same thread. ## Impact...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.4.1 2026.4.2
4 dependents 93% patched ~1d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
5.4 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 3% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C Low
I Low
A None

Recommended Action

Patch available

Update openclaw to version 2026.4.2

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-41358?

OpenClaw: Slack thread context could include messages from non-allowlisted senders

Is CVE-2026-41358 actively exploited?

No confirmed active exploitation of CVE-2026-41358 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-41358?

Update to patched version: openclaw 2026.4.2.

What is the CVSS score for CVE-2026-41358?

CVE-2026-41358 has a CVSS v3.1 base score of 5.4 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, Slack thread starter and thread-history context fetched through the API was not filtered by the effective sender allowlist. Messages from non-allowlisted senders could still enter the agent context when an allowlisted user replied in the same thread. ## Impact A Slack deployment that relied on sender allowlists could still feed non-allowlisted thread content into the model context through thread history. This was a sender-access-control bypass on Slack thread context, not a direct channel-auth bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `ac5bc4fb37becc64a2ec314864cca1565e921f2d` — filter Slack thread context by the effective allowlist ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. OpenClaw thanks @AntAISecurityLab for reporting.

Weaknesses (CWE)

CWE-346 Origin Validation Error Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

Timeline

Published
May 4, 2026
Last Modified
May 4, 2026
First Seen
May 4, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed