CVE-2026-32923
Authorization Bypass in OpenClaw Discord Reaction Ingestion Allows Injection
Publication date: 2026-03-29
Last updated on: 2026-03-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32923 is an authorization bypass vulnerability in OpenClaw versions before 2026.3.11. It occurs in the Discord guild reaction ingestion component, where the system fails to enforce allowlist checks for member users and roles.
Because of this flaw, non-allowlisted guild members can trigger reaction events that the system mistakenly accepts as trusted system events. This allows unauthorized injection of reaction text into downstream session contexts.
The vulnerability is classified under CWE-863 (Incorrect Authorization) and CWE-284 (Improper Access Control), with a medium severity CVSS score of 5.4.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users who are not on the allowlist to inject reaction text into downstream session contexts by exploiting the Discord guild reaction ingestion process.
As a result, attackers can cause unauthorized reaction events to be processed as trusted system events, potentially leading to manipulation or corruption of session data.
The impact includes a low confidentiality and integrity impact, with no availability impact, but it still represents a moderate security risk due to improper authorization.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-32923 vulnerability, users should upgrade OpenClaw to version 2026.3.11 or later.
The fix in version 2026.3.11 applies the same users and roles allowlist enforcement to the Discord guild reaction ingress as is done for normal inbound guild messages, preventing unauthorized reaction events from being accepted as trusted system events.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-32923 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.