Intel

AIKIDO-2026-202363

slack_bolt is vulnerable to Improper Authentication

Improper Authentication Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

48

Medium Risk

This Affects:

PYTHONslack_bolt
1.0.0 - 1.28.0
Fixed in 1.29.0
Are you affected? Scan for Free

TL;DR

The RequestVerification middleware in slack_bolt skips Slack request signature verification whenever the form body contains ssl_check=1. When an application disables the built-in SSL check middleware, this exemption lets an unsigned HTTP request continue through the normal middleware and listener pipeline, so a forged request that omits a valid x-slack-signature can reach slash command and event handlers. This lets untrusted input invoke handler logic without a valid Slack signature. The fix removes the ssl_check exemption so signature verification is required for all HTTP requests and only Socket Mode requests are skipped.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your app disables the SSL check middleware by setting ssl_check_enabled to False.

Background info

slack_bolt is vulnerable to Improper Authentication in versions 1.0.0 - 1.28.0.

How to fix this

Upgrade the slack_bolt library to the patch version.