Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
GHSA-354r-7mfh-7rh2
Summary
### Summary
In OpenClaw `<= 2026.2.24`, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (`dmPolicy` / `allowFrom`) that are enforced for normal DM message ingress.
In restrictive DM setups, a non-allowlisted Discord user who can react to a b...
What to do
- Update openclaw to version 2026.2.25.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.24 | 2026.2.25 |
Original title
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Original description
### Summary
In OpenClaw `<= 2026.2.24`, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (`dmPolicy` / `allowFrom`) that are enforced for normal DM message ingress.
In restrictive DM setups, a non-allowlisted Discord user who can react to a bot-authored DM message could still enqueue a reaction-derived system event in the session.
This is a reaction-only ingress inconsistency. By itself it does not directly execute commands; practical impact depends on downstream automation/tool policy.
### Details
The DM message path already enforces `dmPolicy`/`allowFrom` authorization, but the DM reaction-notification path previously allowed event enqueue under reaction mode checks without that same authorization gate.
Fix in `main` aligns reaction ingress with normal message preflight for Discord DM/group-DM/guild policy boundaries and applies equivalent DM reaction authorization hardening for Slack to keep channel behavior consistent.
### Affected Packages / Versions
- `npm` package: `openclaw`
- Affected: `<= 2026.2.24`
- Patched: `>= 2026.2.25`
### Fix Commit(s)
- `aedf62ac7e669a89c7b299201bf6537dc6b12e0e`
### Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`) so after npm release the advisory is published.
Thanks @tdjackey for reporting.
In OpenClaw `<= 2026.2.24`, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (`dmPolicy` / `allowFrom`) that are enforced for normal DM message ingress.
In restrictive DM setups, a non-allowlisted Discord user who can react to a bot-authored DM message could still enqueue a reaction-derived system event in the session.
This is a reaction-only ingress inconsistency. By itself it does not directly execute commands; practical impact depends on downstream automation/tool policy.
### Details
The DM message path already enforces `dmPolicy`/`allowFrom` authorization, but the DM reaction-notification path previously allowed event enqueue under reaction mode checks without that same authorization gate.
Fix in `main` aligns reaction ingress with normal message preflight for Discord DM/group-DM/guild policy boundaries and applies equivalent DM reaction authorization hardening for Slack to keep channel behavior consistent.
### Affected Packages / Versions
- `npm` package: `openclaw`
- Affected: `<= 2026.2.24`
- Patched: `>= 2026.2.25`
### Fix Commit(s)
- `aedf62ac7e669a89c7b299201bf6537dc6b12e0e`
### Release Process Note
`patched_versions` is pre-set to the release (`2026.2.25`) so after npm release the advisory is published.
Thanks @tdjackey for reporting.
ghsa CVSS4.0
5.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026