CVE-2026-27484
Received Received - Intake
Improper Sender Validation in OpenClaw Enables Unauthorized Discord Moderation

Publication date: 2026-02-21

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27484 is a vulnerability in the OpenClaw AI assistant related to Discord moderation actions such as timeout, kick, and ban. In versions 2026.2.17 and below, these actions used the sender identity provided in request parameters rather than a trusted runtime sender context. This flaw allowed non-admin users to spoof sender identity fields and request unauthorized moderation actions if the bot had the necessary guild permissions enabled.

The root cause is a missing authorization check (classified as CWE-862), where the system did not verify that the user requesting the moderation action actually had the required permissions. This issue was fixed in version 2026.2.18 by enforcing permission checks using a trusted sender context and ignoring untrusted sender identity parameters.

Impact Analysis

This vulnerability can allow a non-admin user to perform unauthorized Discord moderation actions such as timing out, kicking, or banning other users if the OpenClaw bot has the necessary guild permissions enabled. This means an attacker could misuse the bot to disrupt community management, remove legitimate users, or otherwise abuse moderation capabilities without proper authorization.

Such unauthorized actions can lead to disruption of Discord server operations, loss of trust among users, and potential misuse of administrative privileges.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves unauthorized Discord moderation actions triggered by spoofed sender identity fields in tool-driven flows of the OpenClaw assistant. Detection involves verifying if moderation actions (timeout, kick, ban) are being requested by non-admin users without proper authorization.

Since the issue arises from the use of untrusted senderUserId parameters, you can monitor logs or audit trails for moderation commands where the sender identity does not match a trusted runtime context or where non-admin users are performing moderation actions.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaw to version 2026.2.18 or later, where the vulnerability has been fixed.

The fix enforces trusted sender authentication by verifying that the sender has the required Discord guild permissions before allowing moderation actions such as timeout, kick, or ban.

If upgrading immediately is not possible, consider disabling Discord moderation actions or restricting bot permissions to prevent unauthorized moderation commands.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27484. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart