GHSA-gxhx-2686-5h9g: Signature Verification Bypass in slack-go via Empty SecretsVerifier Vulnerability ID: GHSA-GXHX-2686-5H9G CVSS Score: 7.7 Published: 2026-05-14 The slack-go library prior to version 0.23.1 contains a cryptographic signature verification vulnerability. The SecretsVerifier component fails to validate whether the provided Slack signing secret is empty. Applications initializing this verifier with an empty string—such as from a missing environment variable—allow attackers to bypass request authentication by forging signatures with an empty HMAC key. TL;DR slack-go < 0.23.1 permits empty signing secrets, enabling attackers to bypass Slack request verification by generating valid HMAC signatures using an empty key if the application environment is misconfigured.…