Untriaged
Permalink
CVE-2026-32028
3.7 LOW
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): LOW
- Availability impact (A): NONE
OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM messages to bypass DM authorization restrictions and trigger downstream automation or tool policies.
References
- GitHub Security Advisory (GHSA-354r-7mfh-7rh2) third-party-advisory
- Patch Commit patch
- VulnCheck Advisory: OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress third-party-advisory
Affected products
OpenClaw
- ==2026.2.25
- <2026.2.25
Package maintainers
-
@chrisportela Chris Portela <chris@chrisportela.com>