CVE-2026-27484

UNKNOWN 0.0

OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.

CWE	CWE-862
Vendor	openclaw
Product	openclaw
Published	Feb 21, 2026
Last Updated	Feb 24, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new unknown vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

openclaw / openclaw

< 2026.2.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j github.com: https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609e32d github.com: https://github.com/openclaw/openclaw/releases/tag/v2026.2.19