GHSA-wh94-p5m6-mr7j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wh94-p5m6-mr7j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wh94-p5m6-mr7j
- Aliases
- Downstream
- Published
- 2026-02-20T21:02:31Z
- Modified
- 2026-02-23T23:02:26.514340Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
- Details
-
Overview
Discord moderation action handling (
timeout,kick,ban) used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context.Impact
In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user could request moderation actions by spoofing sender identity fields.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published affected version (as of 2026-02-19):
2026.2.17 - Affected range:
<=2026.2.17 - Fixed in planned next release:
2026.2.18
Fix
- Moderation authorization now uses trusted sender context (
requesterSenderId) instead of untrusted action params. - Added permission checks for required guild capabilities per action.
Fix Commit(s)
775816035ecc6bb243843f8000c9a58ff609e32d
Thanks @aether-ai-agent for reporting.
- Package:
- Database specific
{ "cwe_ids": [ "CWE-862" ], "github_reviewed_at": "2026-02-20T21:02:31Z", "nvd_published_at": "2026-02-21T10:16:12Z", "severity": "LOW", "github_reviewed": true }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j
- https://nvd.nist.gov/vuln/detail/CVE-2026-27484
- https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609e32d
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.19
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw