Discord Audio Transcription Leaks Sensitive Info Before Authorization

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

Discord Audio Transcription Leaks Sensitive Info Before Authorization

GHSA-hhff-fj5f-qg48

Summary

The OpenClaw package for Discord audio transcription processes sensitive audio data before checking if the user is authorized, which could potentially expose confidential information. This issue has been fixed in version 2026.3.31 and later, so update to the latest version to ensure your system remains secure.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw runs Discord audio preflight transcription before member authorization

Original description

## Summary
Discord audio preflight transcription before member authorization

## Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: v2026.3.28 still runs Discord audio preflight before member allowlist rejection, but this is the same pre-auth resource-consumption class and not the high-severity auth-bypass framing in the draft.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `ee52f64226a03efadfdf1e3b759e13424a3d4e41` — 2026-03-30T14:38:22+01:00

OpenClaw thanks @AntAISecurityLab for reporting.

ghsa CVSS4.0 6.9

Vulnerability type

CWE-770 Allocation of Resources Without Limits

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026