Description
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.
Published: 2026-04-23
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Policy Bypass
Action: Monitor
AI Analysis

Impact

OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages. This misclassification can be abused by an attacker to bypass group DM policy enforcement or cause incorrect session handling. The flaw aligns with CWE-351, a logic error that leads to unintended behavior. Because it only affects policy enforcement and session state, no direct compromise of credentials or code execution is possible.

Affected Systems

Vendors: OpenClaw; Product: OpenClaw. Affected versions are all ones preceding 2026.3.31—with the fix introduced in the 2026.3.31 release. Users running legacy OpenClaw installations that include the Discord extension are potentially vulnerable.

Risk and Exploitability

The CVSS score is 2.3, indicating low severity, and the EPSS score is below 1%. The vulnerability is not listed in the CISA KEV catalog. The attack path is inferred to require an attacker who can send crafted Discord component interaction payloads to the OpenClaw Discord extension; such an attacker could trigger the misclassification. No additional conditions are noted. Overall risk remains modest, but the potential to circumvent group DM controls could undermine administrative policies.

Generated by OpenCVE AI on April 28, 2026 at 07:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to 2026.3.31 or newer.
  • Ensure the Discord extension’s group DM policy enforcement remains active and correctly configured.
  • Continuously review Discord interaction logs for unexpected direct messages or session handling anomalies.

Generated by OpenCVE AI on April 28, 2026 at 07:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6336-qqw9-v6x6 OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message
History

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.
Title OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-351
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-25T01:34:11.541Z

Reserved: 2026-04-20T14:05:09.183Z

Link: CVE-2026-41341

cve-icon Vulnrichment

Updated: 2026-04-25T01:34:07.322Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:40.477

Modified: 2026-04-29T15:56:08.107

Link: CVE-2026-41341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses