CVE-2026-24764 PUBLISHED

OpenClaw has Remote Code Execution via System Prompt Injection in Slack Channel Descriptions

Assigner: GitHub_M
Reserved: 26.01.2026 Published: 19.02.2026 Updated: 19.02.2026

OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	clawdbot
Product	clawdbot
Versions	Version < 2026.2.3 is affected

References

Problem Types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE
CWE-94: Improper Control of Generation of Code ('Code Injection') CWE