CVE-2026-28392 Slack — Exploit & Vulnerability Details HIGH

CVE-2026-28392

HIGH CVSS 4.0: 8.2 EPSS 0.04%

Parameter	Value
CVSS	8.2 (HIGH)
Affected Versions	before 2026.2.14
Vendor	Slack
Public PoC	No

OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct message to bypass allowlist and access-group restrictions.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

Present

Additional conditions required

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

High

Complete data modification

Availability

None

No disruption

CVSS Vector v4.0

References 3

https://github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f9…

disclosure@vulncheck.com

https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w

disclosure@vulncheck.com

https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-sla…

disclosure@vulncheck.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2025-12141

Slack

1.3

CVE-2026-5557

Slack

5.3

CVE-2026-34219

Slack

8.2

CVE-2026-32895

Openclaw

5.3

CVE-2026-26964

Slack

2.7

Menu

CVE-2026-28392

Attack Parameters

Impact Assessment

CVSS Vector v4.0

References 3

Related Vulnerabilities

CVE-2025-12141

CVE-2026-5557

CVE-2026-34219

CVE-2026-32895

CVE-2026-26964

CVE Details

Editor's Choice

Menu

CVE-2026-28392

Attack Parameters

Impact Assessment

CVSS Vector v4.0

References 3

Related Vulnerabilities

CVE-2025-12141

CVE-2026-5557

CVE-2026-34219

CVE-2026-32895

CVE-2026-26964

CVE Details

Editor's Choice

Stay informed on cybersecurity