{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24764", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-26T21:06:47.867Z", "datePublished": "2026-02-19T01:10:17.540Z", "dateUpdated": "2026-02-19T17:45:16.959Z"}, "containers": {"cna": {"title": "OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8"}, {"name": "https://github.com/openclaw/openclaw/commit/35eb40a7000b59085e9c638a80fd03917c7a095e", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/commit/35eb40a7000b59085e9c638a80fd03917c7a095e"}, {"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.3"}], "affected": [{"vendor": "clawdbot", "product": "clawdbot", "versions": [{"version": "< 2026.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T01:10:17.540Z"}, "descriptions": [{"lang": "en", "value": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3."}], "source": {"advisory": "GHSA-782p-5fr5-7fj8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:05:02.744032Z", "id": "CVE-2026-24764", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:45:16.959Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24764", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:05:02.744032Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:05:04.460Z"}}], "cna": {"title": "OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions", "source": {"advisory": "GHSA-782p-5fr5-7fj8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "clawdbot", "product": "clawdbot", "versions": [{"status": "affected", "version": "< 2026.2.3"}]}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8", "name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openclaw/openclaw/commit/35eb40a7000b59085e9c638a80fd03917c7a095e", "name": "https://github.com/openclaw/openclaw/commit/35eb40a7000b59085e9c638a80fd03917c7a095e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.3", "name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T01:10:17.540Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24764", "state": "PUBLISHED", "dateUpdated": "2026-02-19T17:45:16.959Z", "dateReserved": "2026-01-26T21:06:47.867Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T01:10:17.540Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "AB694F3B-E1D5-4980-8413-808F7AABF7F1", "versionEndExcluding": "2026.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3."}], "id": "CVE-2026-24764", "lastModified": "2026-02-19T18:30:39.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:44.957", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/35eb40a7000b59085e9c638a80fd03917c7a095e"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "clawdbot", "source": "cna", "vendor": "clawdbot"}, "product": "clawdbot", "vendor": "clawdbot"}], "analysis": {"en": {"generated_at": "2026-04-17T18:19:39.865115+00:00", "value": {"mitigation_remediation": ["Update OpenClaw to version 2026.2.3 or later, which removes the injection surface.", "If an immediate upgrade is not possible, disable the Slack integration until the update is applied to eliminate the attack vector.", "Audit existing Slack channel topics and descriptions for suspicious content before allowing the Slack integration to operate normally."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects OpenClaw versions 2026.2.2 and earlier, including the original Clawdbot release. The software runs on Node.js environments and is distributed via the openclaw GitHub repository. The issue is specific to installations that have enabled the Slack integration.", "description_and_impact": "OpenClaw, a locally run AI assistant, incorporates Slack channel metadata into its system prompt when the Slack integration is enabled. This design allows an attacker to inject malicious content through the channel\u2019s topic or description, causing the language model to execute unintended commands. The vulnerability is a form of code injection, mapped to CWE-74 and CWE-94, and provides a direct pathway to arbitrary code execution on the host running OpenClaw.", "risk_and_exploitability": "The CVSS score of 3.7 indicates low to moderate severity, yet the impact of remote code execution cannot be ignored. The EPSS score of less than 1% suggests a low probability of active exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker who gains the ability to post or edit a Slack channel\u2019s topic or description can trigger the injection, potentially compromising the entire host machine. Prompt mitigation is advised to prevent any potential compromise."}}}}, "created": "2026-02-19T10:07:55.416464+00:00", "updated": "2026-04-17T18:30:05.648437+00:00", "vendors": ["clawdbot", "clawdbot$PRODUCT$clawdbot"]}