Discord Slash Commands Can Bypass Channel Restrictions for Authorized Users

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

Discord Slash Commands Can Bypass Channel Restrictions for Authorized Users

GHSA-rvvf-6vh3-9j43

Summary

Some authorized Discord users can bypass channel restrictions on group direct messages when using Discord slash commands. This issue affects the OpenClaw package and can be fixed by updating to version 2026.3.31 or later. Users should update their OpenClaw package to the latest version to ensure security and compliance.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist

Original description

## Summary
Discord Slash Commands Bypass Group DM Channel Allowlist

## Current Maintainer Triage
- Status: narrow
- Normalized severity: moderate
- Assessment: v2026.3.28 native Discord slash and autocomplete paths still skip the group-DM allowlist, but impact is limited to already-authorized Discord users bypassing a channel restriction rather than crossing a stronger trust boundary.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `8fdb19676ab44cf85d47ee13c578195f2e527591` — 2026-03-30T11:17:36-06:00

OpenClaw thanks @nexrin for reporting.

ghsa CVSS4.0 5.3

Vulnerability type

CWE-863 Incorrect Authorization

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026