GHSA-p44v-rx83-vjp4

Suggest an improvement
Source
https://github.com/advisories/GHSA-p44v-rx83-vjp4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-p44v-rx83-vjp4/GHSA-p44v-rx83-vjp4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p44v-rx83-vjp4
Withdrawn
2026-06-18T20:35:46Z
Published
2026-06-16T21:31:58Z
Modified
2026-06-18T20:45:17.208510239Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Duplicate Advisory: Discord allowFrom could bind to mutable display names
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cw4q-gqg5-g38h. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

Database specific
{
    "github_reviewed_at": "2026-06-18T20:35:46Z",
    "nvd_published_at": "2026-06-16T19:17:02Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-290"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / openclaw

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2026.5.6

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-p44v-rx83-vjp4/GHSA-p44v-rx83-vjp4.json"