Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
Discord Bot Moderation Actions Can Be Faked
CVE-2026-27484
GHSA-wh94-p5m6-mr7j
Summary
A security issue in the OpenClaw Discord moderation tool allows a non-admin user to fake moderation actions, such as kicking or banning users, by manipulating the request. This was fixed in a recent update, and users should update to the latest version of OpenClaw to prevent this issue.
What to do
- Update steipete openclaw to version 2026.2.18.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.18 | 2026.2.18 |
| openclaw | openclaw | <= 2026.2.17 | – |
Original title
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
Original description
## Overview
Discord moderation action handling (`timeout`, `kick`, `ban`) used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context.
## Impact
In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user could request moderation actions by spoofing sender identity fields.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published affected version (as of 2026-02-19): `2026.2.17`
- Affected range: `<=2026.2.17`
- Fixed in planned next release: `2026.2.18`
## Fix
- Moderation authorization now uses trusted sender context (`requesterSenderId`) instead of untrusted action params.
- Added permission checks for required guild capabilities per action.
## Fix Commit(s)
- `775816035ecc6bb243843f8000c9a58ff609e32d`
Thanks @aether-ai-agent for reporting.
Discord moderation action handling (`timeout`, `kick`, `ban`) used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context.
## Impact
In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user could request moderation actions by spoofing sender identity fields.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published affected version (as of 2026-02-19): `2026.2.17`
- Affected range: `<=2026.2.17`
- Fixed in planned next release: `2026.2.18`
## Fix
- Moderation authorization now uses trusted sender context (`requesterSenderId`) instead of untrusted action params.
- Added permission checks for required guild capabilities per action.
## Fix Commit(s)
- `775816035ecc6bb243843f8000c9a58ff609e32d`
Thanks @aether-ai-agent for reporting.
nvd CVSS3.1
4.3
nvd CVSS4.0
2.3
Vulnerability type
CWE-862
Missing Authorization
- https://nvd.nist.gov/vuln/detail/CVE-2026-27484
- https://github.com/advisories/GHSA-wh94-p5m6-mr7j
- https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.19 Release Notes
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j Vendor Advisory
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026