A privilege escalation flaw in OpenClaw allows attackers to impersonate other identities by manipulating display name metadata, requiring an immediate update.

The vulnerability exists in the "allowFrom" feature, which binds to mutable Slack display names. Attackers with existing Slack account access can change metadata to match policy entries, effectively gaining unauthorized access intended for other identities.

With a CVSS score of 8.1, this vulnerability poses a high risk of identity theft and unauthorized access to sensitive internal systems. Exploitation could lead to significant data breaches or the execution of fraudulent commands under the guise of authorized personnel, resulting in severe operational and trust-related consequences.

Immediate Action: Upgrade to OpenClaw version 2026.5.3 or later to secure the display name metadata handling.

Proactive Monitoring: Monitor Slack integration logs for rapid or suspicious changes to display name metadata that do not align with standard user profile updates.

Compensating Controls: Implement strict identity verification processes for critical actions and limit the ability of users to modify display names within the Slack environment.

Public Exploit Available: false

This vulnerability undermines the trust model of the integration, allowing for identity impersonation. Organizations using OpenClaw must prioritize the upgrade to version 2026.5.3 to prevent unauthorized privilege escalation and ensure the integrity of identity-based policies.