CVE-2026-53823: OpenClaw Slack allowFrom Authentication Bypass via Mutable Display Names
OpenClaw's Slack allowlist matched on mutable display names instead of stable user IDs, letting any workspace member rename themselves to impersonate an allowlisted identity and gain agent access.
The problem
In OpenClaw versions up to and including 2026.5.3-1, the `channels.slack.allowFrom` and per-channel `users` lists accepted plain display names as valid identity tokens.
Slack display names are user-controlled and can be changed freely by any workspace member. An attacker who can read the gateway config, or who can guess an allowlisted display name, can rename their account to match and receive all agent access intended for that identity, including tool execution and exec approvals.
Proof of concept
A working proof-of-concept for this issue in openclaw, with the exact payload below.
# Vulnerable config: operator uses a display name, not a stable Slack user ID
# openclaw.json (affected version <= 2026.5.3-1)
{
"channels": {
"slack": {
"dmPolicy": "allowlist",
"allowFrom": ["alice"]
}
}
}
# Attack: attacker logs into Slack, opens
# Profile > Edit Profile > Display name
# and changes their display name to: alice
#
# They then DM the OpenClaw gateway bot.
# OpenClaw resolves the sender display name "alice",
# finds it in allowFrom, and grants full agent access.
#
# No code or token needed beyond a normal Slack account in the workspace.The root cause is that `allowFrom` entries were resolved by comparing incoming Slack display name (or profile name) metadata against the configured list. Slack display names are mutable by any account holder, so an attacker only needs workspace membership and the ability to read or guess the allowlisted value.
The patch flipped the default so that only immutable Slack user IDs (format `UXXXXXXXXX`) are accepted. Name-based matching is now opt-in via the `dangerouslyAllowNameMatching` toggle, which the docs explicitly mark as a break-glass option to keep off unless needed.
The CWE-290 (Authentication Bypass by Spoofing) classification fits exactly: the identity check relied on a claim the attacker controls.
The fix
Upgrade to openclaw 2026.5.3 (npm: `npm install -g openclaw@2026.5.3` or `pnpm add -g openclaw@2026.5.3`). After upgrading, replace any display-name strings in `allowFrom` and per-channel `users` lists with stable Slack user IDs (format `UXXXXXXXXX`, visible in Slack > Profile > More).
Do not enable `dangerouslyAllowNameMatching` unless you have no path to migrate. As interim hardening on affected versions, use only stable IDs in allowlists, keep channel and tool allowlists narrow, and avoid sharing one Gateway between mutually untrusted users.
Reported by Philip (@PhilipPhil).
Related research
- highCVE-2026-53832: openclaw Trusted-Proxy Identity Header Forgery via Same-Host Loopback
- high · 8CVE-2026-53817CVE-2026-53817: openclaw Control UI Locality Spoofing to Admin Token Mint
- highCVE-2026-53833: OpenClaw QQBot Incorrect Authorization on /bot-streaming Command
- high · 8.8CVE-2026-53821: openclaw Trusted-Proxy WebSocket Scope Elevation