CVE-2026-32028

LOW openclaw NVD

CVSS Score 3.7

Severity LOW

Published Mar 19, 2026

Vendor openclaw

Description

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM messages to bypass DM authorization restrictions and trigger downstream automation or tool policies.

References

https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e
https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2
https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress