CVE-2026-41358: Origin Validation Error and Prompt Injection via OpenClaw Slack Integration

OpenClaw is an AI assistant platform that integrates with corporate chat environments like Slack. Prior to version 2026.4.2, the platform's Slack integration suffers from a CWE-346 Origin Validation Error. The vulnerability allows unauthorized actors to inject content into the agent's LLM context window.

The flaw resides specifically within the resolveSlackThreadContextData function located in extensions/slack/src/monitor/message-handler/prepare-thread-context.ts. This function is responsible for reconstructing the conversational history of a Slack thread when the OpenClaw agent is invoked. The system validates the sender of the triggering message but fails to validate the senders of historical messages retrieved from the Slack API.

Successful exploitation results in arbitrary prompt injection. Unauthorized users can manipulate the agent's behavior, extract sensitive information intended for authorized users, or alter the assistant's persona. The vendor addressed the issue in release 2026.4.2 by implementing per-message sender validation.

The OpenClaw Slack integration relies on an allowFromLower list to restrict agent access to authorized users. When an authorized user interacts with the agent within a Slack thread, the agent queries the conversations.replies API endpoint to fetch the preceding messages. The design intent is to provide the Large Language Model with continuous conversational context.

The implementation processes the array of historical messages sequentially and concatenates them into the LLM prompt. The vulnerability occurs because the origin validation logic is exclusively applied to the current triggering event. The software implicitly assumes that if the invoking user is authorized, all historical content within the invoked thread is inherently safe for ingestion.

This constitutes a critical breakdown in trust boundary enforcement. In a shared channel, any workspace user can append messages to an ongoing thread. By failing to iterate over the retrieved historical messages and verify their individual senders against the access control list, the system processes untrusted input data as privileged context.

The vulnerable implementation lacked a filtering loop during history reconstruction. The application iterated through the threadHistory object and appended text segments without evaluating the identity of the message author.

// Vulnerable Implementation
const threadHistory = await fetchHistory(threadTs);
for (const historyMsg of threadHistory) {
  historyParts.push(`${historyMsg.user}: ${historyMsg.text}`);
}

Commit ac5bc4fb37becc64a2ec314864cca1565e921f2d addresses the flaw by introducing an explicit filtering mechanism before context construction. The patch implements a validation check against the isSlackThreadContextSenderAllowed function for every individual message retrieved from the Slack API.

// Patched Implementation
const allowedThreadHistory = threadHistory.filter((historyMsg) => {
  return isSlackThreadContextSenderAllowed({
    allowFromLower: params.allowFromLower,
    userId: historyMsg.userId,
    botId: historyMsg.botId,
  });
});

The fix comprehensively mitigates the specific attack vector by ensuring only authenticated inputs enter the prompt structure. The developers also introduced diagnostic logging to record instances where messages are explicitly omitted due to failed validation, providing visibility into potential injection attempts.

Exploitation requires the attacker to possess access to a Slack workspace where the OpenClaw integration is deployed. The attacker does not need to exist on the allowFromLower list. The vulnerability requires user interaction (UI:R), as an authorized user must invoke the agent within a poisoned thread.

The attacker initiates the exploit by injecting a prompt payload into an existing Slack thread or creating a new thread starter. The payload contains specific instructions directed at the underlying LLM. Subsequently, an authorized user replies to the thread and mentions the OpenClaw agent. The agent fetches the thread history, ingests the attacker's payload, and executes the unauthorized instructions.

The following sequence diagram illustrates the execution flow of a successful context poisoning attack against the vulnerable integration.

The primary impact is unauthorized manipulation of the AI agent's execution context. Depending on the configured capabilities of the OpenClaw agent, an attacker can extract sensitive conversational data, manipulate decision-making processes, or leverage the agent's privileges to perform unintended actions on behalf of the authorized user.

The CVSS v3.1 score of 5.4 reflects the medium severity of the vulnerability. The attack vector is Network (AV:N), but the complexity is offset by the requirement for User Interaction (UI:R) from an authorized entity. The impact metrics (C:L/I:L/A:N) indicate localized exposure of confidential data and modification of system state without causing a denial of service.

The EPSS score of 0.00016 indicates a low probability of imminent widespread exploitation in the wild. However, the availability of technical reproduction steps and the conceptual simplicity of the attack make targeted exploitation highly feasible against misconfigured corporate workspaces.

The vendor provides a direct remediation via software update. Administrators must upgrade OpenClaw deployments to version 2026.4.2 or later. The patch modifies the context preparation logic to strictly enforce the sender allowlist across the entire Slack thread history.

Administrators should conduct a thorough review of the Slack integration configuration. The allowFrom list must be strictly maintained to ensure only authorized personnel have access. Additionally, administrators should disable the allowNameMatching feature to prevent actors from spoofing the display names of authorized users to bypass access controls.

Security teams can implement detection mechanisms by monitoring application logs. The patched version emits specific log entries, such as slack: omitted non-allowlisted thread starter from context, when the filtering logic drops an unauthorized message. Correlating these logs with Slack audit trails facilitates the identification of active injection attempts.