CVE-2026-32028

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32028
OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM messages to bypass DM authorization restrictions and trigger downstream automation or tool policies.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2 Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
History

25 Mar 2026, 15:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 3.7 		v2 : unknown
v3 : 5.3
Summary
  • (es) Las versiones de OpenClaw anteriores a 2026.2.25 fallan al aplicar las comprobaciones de autorización de dmPolicy y allowFrom en las notificaciones de reacción de mensajes directos de Discord, permitiendo a usuarios no incluidos en la lista de permitidos encolar eventos de sistema derivados de reacciones. Los atacantes pueden explotar esta inconsistencia reaccionando a mensajes directos (DM) creados por bots para eludir las restricciones de autorización de DM y activar políticas de automatización o herramientas posteriores.

23 Mar 2026, 15:21

Type Values Removed Values Added
First Time Openclaw openclaw
Openclaw
CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
References () https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e - () https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e - Patch
References () https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2 - () https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2 - Vendor Advisory
References () https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress - () https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress - Third Party Advisory

19 Mar 2026, 22:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-19 22:16

Updated : 2026-03-25 15:16

NVD link : CVE-2026-32028

Mitre link : CVE-2026-32028

CVE.ORG link : CVE-2026-32028

JSON object : View

Products Affected

openclaw

  • openclaw
CWE
CWE-863

Incorrect Authorization