Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.6

Discord Slash Commands Allow Unauthorized Group DM Access

GHSA-rvvf-6vh3-9j43
Summary

Discord's built-in slash commands can bypass channel restrictions, allowing authorized users to access restricted groups. This could potentially lead to unwanted messages or spam in those groups. Update OpenClaw to version 2026.3.31 or later to fix this issue.

What to do
  • Update openclaw to version 2026.3.31.
Affected software
VendorProductAffected versionsFix available
openclaw <= 2026.3.31 2026.3.31
Original title
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist
Original description
## Summary
Discord Slash Commands Bypass Group DM Channel Allowlist

## Current Maintainer Triage
- Status: narrow
- Normalized severity: moderate
- Assessment: v2026.3.28 native Discord slash and autocomplete paths still skip the group-DM allowlist, but impact is limited to already-authorized Discord users bypassing a channel restriction rather than crossing a stronger trust boundary.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `8fdb19676ab44cf85d47ee13c578195f2e527591` — 2026-03-30T11:17:36-06:00

OpenClaw thanks @nexrin for reporting.
osv CVSS4.0 7.6
Vulnerability type
CWE-863 Incorrect Authorization
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026