CVE-2026-32028

LOW SEVERITY

CVSS Score & Metrics

Base Score

3.7 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N                                    

Vulnerability Description

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM messages to bypass DM authorization restrictions and trigger downstream automation or tool policies.

Vulnerability Details

Published Date

March 19, 2026

Last Modified

March 25, 2026

CWE ID

CWE-863

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e
https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2
https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress

CVE-2026-32028

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment