AI Threat Alert

CVE-2026-53823: OpenClaw: privilege escalation via Slack display name spoofing

HIGH
Published June 12, 2026
CISO Take

OpenClaw's `allowFrom` access control feature trusts Slack display names as identity anchors — a mutable attribute any Slack user can change at will — allowing any authenticated workspace member to rename themselves to match a privileged policy entry and gain unauthorized access to AI agent capabilities. The CVSS 8.1 score reflects this accurately: network-exploitable, low complexity, low privileges required, and no user interaction needed, making it a trivial lateral movement vector in any OpenClaw deployment integrated with Slack. Although no public exploit exists and it is not in CISA KEV, the attack surface is wide for teams running AI agents with Slack-based access delegation — particularly dangerous given OpenClaw has 175 prior CVEs and a related AIID incident (#1368) confirming active threat actor interest in its ecosystem. Upgrade to OpenClaw 2026.5.3 immediately, audit all `allowFrom` policies to replace display-name-based entries with immutable Slack user IDs, and review Slack audit logs for anomalous display name changes.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High risk. CWE-290 (Authentication Bypass by Spoofing) combined with CVSS 8.1, AV:N/AC:L/PR:L/UI:N creates a nearly frictionless exploitation path — any insider or compromised Slack account becomes a potential privilege escalation vector. The mutable nature of Slack display names means no technical skill is required beyond knowing target policy entry names. In AI agent contexts this is especially dangerous: agent access controls gate not just data access but tool invocations, automated actions, and downstream system integrations. The 4 downstream dependents limit breadth but organizations building on top of OpenClaw inherit this flaw transitively.

How does the attack unfold?

Reconnaissance
Attacker identifies privileged identity names used in OpenClaw `allowFrom` policies via public documentation, GitHub config leaks, or social engineering of workspace members.
AML.T0095
Identity Spoofing
Attacker changes their own Slack display name to exactly match a privileged `allowFrom` policy entry, exploiting the mutable nature of Slack display names (CWE-290).
AML.T0073
Authentication Bypass
Attacker sends a message or trigger to the OpenClaw agent; the agent reads the display name from Slack message metadata, matches it against the policy, and grants elevated access without further verification.
AML.T0012
Unauthorized Agent Tool Invocation
Attacker invokes privileged agent tools — accessing restricted data, triggering automated workflows, or pivoting to connected enterprise systems — under the guise of the impersonated identity.
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A None

What should I do?

1 step

  1. 1) Upgrade to OpenClaw 2026.5.3 or later — this is the only complete fix. 2) Immediately audit all allowFrom policy entries: replace any that reference display names with immutable identifiers (Slack user IDs via the format U012AB3CD, email addresses, or workspace-scoped member IDs). 3) Pull Slack workspace audit logs (Admin > Audit Logs or via Slack Audit Logs API) and review display name change events for the past 90 days, cross-referencing against policy entry names. 4) Alert on future display name changes that match any allowFrom policy entry — this is a detectable precursor to exploitation. 5) For systems that cannot patch immediately: disable Slack-based allowFrom policies and fall back to explicit user ID allowlists configured out-of-band.

How is it classified?

Auth Bypass Social Engineering Agent AML.T0012 AML.T0053 AML.T0073 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation — access control
NIST AI RMF
GOVERN 1.2 - Roles, responsibilities, and accountability
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53823?

OpenClaw's `allowFrom` access control feature trusts Slack display names as identity anchors — a mutable attribute any Slack user can change at will — allowing any authenticated workspace member to rename themselves to match a privileged policy entry and gain unauthorized access to AI agent capabilities. The CVSS 8.1 score reflects this accurately: network-exploitable, low complexity, low privileges required, and no user interaction needed, making it a trivial lateral movement vector in any OpenClaw deployment integrated with Slack. Although no public exploit exists and it is not in CISA KEV, the attack surface is wide for teams running AI agents with Slack-based access delegation — particularly dangerous given OpenClaw has 175 prior CVEs and a related AIID incident (#1368) confirming active threat actor interest in its ecosystem. Upgrade to OpenClaw 2026.5.3 immediately, audit all `allowFrom` policies to replace display-name-based entries with immutable Slack user IDs, and review Slack audit logs for anomalous display name changes.

Is CVE-2026-53823 actively exploited?

No confirmed active exploitation of CVE-2026-53823 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53823?

1) Upgrade to OpenClaw 2026.5.3 or later — this is the only complete fix. 2) Immediately audit all `allowFrom` policy entries: replace any that reference display names with immutable identifiers (Slack user IDs via the format `U012AB3CD`, email addresses, or workspace-scoped member IDs). 3) Pull Slack workspace audit logs (Admin > Audit Logs or via Slack Audit Logs API) and review display name change events for the past 90 days, cross-referencing against policy entry names. 4) Alert on future display name changes that match any `allowFrom` policy entry — this is a detectable precursor to exploitation. 5) For systems that cannot patch immediately: disable Slack-based `allowFrom` policies and fall back to explicit user ID allowlists configured out-of-band.

What systems are affected by CVE-2026-53823?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI-Slack integrations, multi-tenant agent platforms, enterprise AI assistants.

What is the CVSS score for CVE-2026-53823?

CVE-2026-53823 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI-Slack integrationsmulti-tenant agent platformsenterprise AI assistants

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0053 AI Agent Tool Invocation
AML.T0073 Impersonation
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 1.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other identities.

Exploitation Scenario

An attacker holds a legitimate Slack account in the target organization's workspace. Through reconnaissance of OpenClaw documentation, public GitHub configs, or social engineering, they identify display names used in `allowFrom` policies — for example, a policy allowing 'AI Operations Team Lead' to invoke privileged agent actions. The attacker changes their own Slack display name to 'AI Operations Team Lead' (a zero-click, seconds-long operation in Slack settings), then sends a message or trigger to the OpenClaw agent. The agent reads the Slack display name from the message metadata, matches it against the `allowFrom` policy, and grants elevated access. The attacker can now invoke restricted agent tools — exfiltrating data, triggering automated workflows, or pivoting to connected systems — before reverting their display name to avoid detection.

Weaknesses (CWE)

CWE-290 Authentication Bypass by Spoofing

CWE-290 — Authentication Bypass by Spoofing: This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
June 12, 2026
Last Modified
June 12, 2026
First Seen
June 13, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH CVE-2026-35674 8.8

OpenClaw: scope bypass enables full agent admin takeover

Same package: openclaw
HIGH GHSA-cwj3-vqpp-pmxr 8.8

openclaw: Model bypasses authz to persist unsafe config

Same package: openclaw
HIGH CVE-2026-53811 8.8

OpenClaw: privilege escalation via identity spoofing

Same package: openclaw
Back to Threat Feed