9 matches found
CVE-2026-32035
OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in...
OpenClaw has an unspecified vulnerability (CNVD-2026-14832)
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that is caused by failing to pass the senderIsOwner flag when processing Discord voice transcription in agentCommand. An attacker could exploit the vulnerability to cause a voi...
CVE-2026-32035 OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler
OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in...
EUVD-2026-13318
OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in...
OpenClaw has Canvas route hardening for mixed-trust deployments
Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Som...
Improper Restriction of Rendered UI Layers or Frames
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames in the canvas route authorization process. An attacker can gain unauthorized access to restricted routes by exploiting insufficient...
GHSA-CJV3-M589-V3RX OpenClaw has Canvas route hardening for mixed-trust deployments
Summary This advisory tracks a defense-in-depth hardening for canvas routes. In mixed-trust or network-visible deployments, prior canvas auth/fallback behavior could broaden access beyond intended boundaries. Deployment Context OpenClaw’s default model is trusted host + loopback-first access. Som...
GHSA-WPG9-4G4V-F9RC OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels
Summary In [email protected], the Discord voice transcript path called agentCommand... without senderIsOwner, and agentCommand defaults missing senderIsOwner to true. This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces gateway, cron during voice...
OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels
Summary In [email protected], the Discord voice transcript path called agentCommand... without senderIsOwner, and agentCommand defaults missing senderIsOwner to true. This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces gateway, cron during voice...