Authorization Bypass in OpenClaw Affects Discord Integrations
CVE-2026-41348

2.3LOW

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41348?

OpenClaw versions prior to 2026.3.31 are vulnerable to an authorization bypass affecting Discord's slash command functionality. This vulnerability allows authorized users to bypass channel restrictions, exposing restricted group DM channels by improperly handling the allowlist constraints. When users invoke specific slash commands, the lack of proper enforcement for group DM channel restrictions could lead to unauthorized access, which necessitates immediate attention and patching to mitigate exploitation risks.

Affected Version(s)

OpenClaw 0 < 2026.3.31

OpenClaw 2026.3.31

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/8fdb19676ab44...

patch

https://www.vulncheck.com/advisories/openclaw-group-dm-ch...

third-party-advisory

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Nathan (@nexrin)

KeenSecurityLab

qclawer

CVE-2026-41348 Data

JSON