OpenClaw Sender-Policy Bypass Vulnerability in Reaction and Pin Event Handlers
Vulnerability
A sender-policy bypass vulnerability has been identified in OpenClaw versions prior to 2026.2.25. The issue arises in the Slack monitor, where 'reaction_*' and 'pin_*' non-message events are processed before sender-policy checks are consistently applied. This flaw allows attackers to inject unauthorized reaction and pin events from restricted senders, bypassing configured direct message (DM) policies and channel user allowlists.
Impact
Exploitation of this vulnerability can lead to unauthorized injection of reaction and pin events in Slack, potentially disrupting normal user interactions and channel dynamics.
Reproduction
To reproduce this vulnerability, send a 'reaction_added' or 'pin_added' event from a user whose permissions are restricted by the channel's DM policy or user allowlist. This can be done through the Slack API or by using a bot that simulates user interactions, ensuring that the event bypasses the existing sender-policy checks.
Remediation
Users can update to OpenClaw version 2026.2.25 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.