CVE-2026-53851: OpenClaw Slack reaction bypass

CISO Take

OpenClaw before version 2026.5.12 contains a missing authorization check (CWE-862) that allows Slack reaction events to enter the AI agent pipeline even when reaction notifications are explicitly disabled in configuration, enabling any Slack workspace member to inject lower-trust inputs into the agent processing layer. With CVSS 5.3 (Medium), no privileges required, and no user interaction needed, the attack surface is broad for any organization running OpenClaw against a Slack workspace. There is no active exploitation (not in CISA KEV) and no public exploit is available, moderating immediate urgency, though the real risk multiplier is the agent's downstream tool permissions — agents with write access to infrastructure or internal systems can amplify the I:L CVSS impact significantly. Upgrade to OpenClaw 2026.5.12 immediately; if patching is delayed, disable Slack reaction event integration entirely and audit pipeline execution logs for anomalous reaction-triggered activations.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk by CVSS, elevated in practice for organizations where OpenClaw agents hold privileged tool access. CWE-862 (Missing Authorization) with AV:N/AC:L/PR:N/UI:N makes the bypass trivially reachable by any Slack workspace member with zero technical sophistication. The CVSS vector caps confidentiality and availability impact at None, but the agent pipeline is an amplifier: if the agent is authorized to read internal data, write to repositories, or call cloud APIs, unauthorized reaction events can cascade into higher-impact actions far beyond the I:L baseline. No CISA KEV listing and no public exploits keep exploitation likelihood low in the near term, but the low barrier to attempt and broad Slack workspace exposure justify prompt patching.

How does the attack unfold?

Workspace Access

Attacker obtains or already holds Slack workspace membership where OpenClaw is deployed, requiring no special privileges beyond standard workspace access.

AML.T0012

Authorization Bypass

Attacker adds an emoji reaction to a Slack message; CWE-862 missing authorization check fails to gate the event despite reaction notifications being disabled in configuration.

AML.T0084.002

Pipeline Injection

Reaction event enters the OpenClaw agent pipeline as lower-trust input, bypassing the expected disabled-notification control and treated as a legitimate actionable trigger.

AML.T0051.002

Unauthorized Agent Action

Agent processes the injected event and invokes tools or executes actions using its privileged service credentials based on attacker-influenced input content.

AML.T0053

Workspace Access

Attacker obtains or already holds Slack workspace membership where OpenClaw is deployed, requiring no special privileges beyond standard workspace access.

AML.T0012

Authorization Bypass

Attacker adds an emoji reaction to a Slack message; CWE-862 missing authorization check fails to gate the event despite reaction notifications being disabled in configuration.

AML.T0084.002

Pipeline Injection

Reaction event enters the OpenClaw agent pipeline as lower-trust input, bypassing the expected disabled-notification control and treated as a legitimate actionable trigger.

AML.T0051.002

Unauthorized Agent Action

Agent processes the injected event and invokes tools or executes actions using its privileged service credentials based on attacker-influenced input content.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 61% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A None

What should I do?

5 steps

Patch immediately: upgrade OpenClaw to 2026.5.12 or later — the fix resolves the missing authorization check on reaction event ingestion.
If immediate patching is not feasible, disable Slack reaction event processing in OpenClaw configuration and validate the setting takes effect at the event handler layer.
Apply least-privilege to agent tool permissions — ensure agents cannot take high-impact actions (write operations, external API calls, data access) based solely on Slack event inputs.
Restrict Slack workspace membership to trusted personnel as defense-in-depth against unauthorized reaction senders.
Review agent pipeline execution logs retroactively for reaction-triggered activations that occurred while the feature was configured as disabled — treat these as indicators of attempted or successful exploitation.

How is it classified?

Auth Bypass Prompt Injection Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0051.002 - Triggered AML.T0053 - AI Agent Tool Invocation AML.T0084.002 - Activation Triggers

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system risk management

NIST AI RMF

GOVERN 1.1 - AI Risk Policies and Procedures

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53851?

OpenClaw before version 2026.5.12 contains a missing authorization check (CWE-862) that allows Slack reaction events to enter the AI agent pipeline even when reaction notifications are explicitly disabled in configuration, enabling any Slack workspace member to inject lower-trust inputs into the agent processing layer. With CVSS 5.3 (Medium), no privileges required, and no user interaction needed, the attack surface is broad for any organization running OpenClaw against a Slack workspace. There is no active exploitation (not in CISA KEV) and no public exploit is available, moderating immediate urgency, though the real risk multiplier is the agent's downstream tool permissions — agents with write access to infrastructure or internal systems can amplify the I:L CVSS impact significantly. Upgrade to OpenClaw 2026.5.12 immediately; if patching is delayed, disable Slack reaction event integration entirely and audit pipeline execution logs for anomalous reaction-triggered activations.

Is CVE-2026-53851 actively exploited?

No confirmed active exploitation of CVE-2026-53851 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53851?

1. Patch immediately: upgrade OpenClaw to 2026.5.12 or later — the fix resolves the missing authorization check on reaction event ingestion. 2. If immediate patching is not feasible, disable Slack reaction event processing in OpenClaw configuration and validate the setting takes effect at the event handler layer. 3. Apply least-privilege to agent tool permissions — ensure agents cannot take high-impact actions (write operations, external API calls, data access) based solely on Slack event inputs. 4. Restrict Slack workspace membership to trusted personnel as defense-in-depth against unauthorized reaction senders. 5. Review agent pipeline execution logs retroactively for reaction-triggered activations that occurred while the feature was configured as disabled — treat these as indicators of attempted or successful exploitation.

What systems are affected by CVE-2026-53851?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, Slack-integrated AI pipelines, event-driven agent systems.

What is the CVSS score for CVE-2026-53851?

CVE-2026-53851 has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksSlack-integrated AI pipelinesevent-driven agent systems

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0051.002 Triggered

AML.T0053 AI Agent Tool Invocation

AML.T0084.002 Activation Triggers

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: GOVERN 1.1

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.

Exploitation Scenario

An attacker who is a member of a Slack workspace where OpenClaw is deployed — or who compromises any workspace member account — identifies the OpenClaw bot presence in a monitored channel. The attacker crafts a message containing adversarial instructions and posts it (or identifies an existing message with useful content), then adds an emoji reaction. Despite the organization's OpenClaw configuration having reaction notifications disabled, the missing authorization check allows the reaction event to bypass the disabled gate and enter the agent pipeline. The agent processes the event as a legitimate input, interpreting the message content as instructions. Depending on the agent's tool access, the attacker can cause the agent to retrieve internal documents, execute code, post messages to other channels, or invoke external APIs — all authenticated under the agent's service credentials, with no trace attributable to the attacker beyond a Slack reaction.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.