GHSA-jp4j-q5fc-58gv

Source

https://github.com/advisories/GHSA-jp4j-q5fc-58gv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jp4j-q5fc-58gv/GHSA-jp4j-q5fc-58gv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jp4j-q5fc-58gv

Downstream

MINI-vf63-x5vp-2vq5

Published

2026-03-31T23:58:08Z

Modified

2026-04-01T00:27:41.936143Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator

Summary

OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement

Details

Summary

Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages.

Impact

Users could trigger privileged component actions from contexts that should have been blocked by Discord channel policy.

Affected Component

extensions/discord/src/monitor/agent-components.ts

Fixed Versions

Affected: >= 2026.2.14, <= 2026.3.24
Patched: >= 2026.3.28
Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 511093d4b3 (Discord: apply component interaction policy gates).

Database specific

{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed_at": "2026-03-31T23:58:08Z"
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

2026.2.14

Fixed

2026.3.28

Database specific

last_known_affected_version_range

"<= 2026.3.24"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jp4j-q5fc-58gv/GHSA-jp4j-q5fc-58gv.json"