CVE-2026-41367
Received Received - Intake
Bypass of Channel Policy Enforcement in OpenClaw Discord Components

Publication date: 2026-04-28

Last updated on: 2026-04-28

Assigner: VulnCheck

Description
OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41367
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.2.14 (inc) to 2026.3.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.3.28 or later, where the issue has been fixed by ensuring consistent application of guild and channel policy gates on Discord button and component interactions.

This update prevents attackers with low privileges from bypassing channel policy enforcement and triggering privileged component actions from blocked contexts.

Executive Summary

CVE-2026-41367 is a vulnerability in OpenClaw versions 2026.2.14 through 2026.3.24 where the software fails to consistently enforce guild and channel policy gates on Discord button and component interactions.

This means that attackers with low privileges can bypass the intended channel policy restrictions and trigger privileged component actions from contexts that should be blocked.

The root cause is an incorrect authorization check (classified as CWE-863) in the handling of Discord component interactions, allowing unauthorized actions within Discord integrations.

Impact Analysis

This vulnerability allows an attacker with low privileges to remotely exploit the system without any user interaction.

By bypassing guild and channel policy enforcement, the attacker can perform unauthorized modifications through privileged component actions within Discord integrations.

While it does not impact confidentiality or availability, it can lead to integrity issues by allowing unauthorized changes.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41367. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart