Description
OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers can send Discord voice ingress requests before channel allowlist authorization is performed, gaining unauthorized access to restricted voice channels.
Published: 2026-04-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Unauthorized access to restricted voice channels
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an attacker to send Discord voice ingress requests before the channel allowlist verification occurs, enabling unauthorized entry into voice channels that should be protected. The flaw bypasses the intended access controls, potentially letting an unauthorized user eavesdrop on or inject unauthorized voice data.

Affected Systems

OpenClaw versions prior to 2026.3.31 are affected. The defect resides in the Discord voice manager component of the OpenClaw project and applies to all users running an unpatched copy.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity impact. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported. An attacker with network access to the Discord voice manager endpoint could exploit the flaw by sending crafted voice requests before the allowlist check completes, thereby bypassing channel‑level restrictions without gaining further privileges.

Generated by OpenCVE AI on April 29, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later to apply the vendor‑issued fix.
  • Reconfigure the application so that channel allowlist checks are performed before processing any voice ingress requests to ensure proper authorization.
  • Restrict network exposure of the Discord voice manager endpoint, allowing access only from trusted hosts or behind an API gateway to limit attack surface.

Generated by OpenCVE AI on April 29, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers can send Discord voice ingress requests before channel allowlist authorization is performed, gaining unauthorized access to restricted voice channels.
Title OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowlist
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:09:44.214Z

Reserved: 2026-04-20T14:12:09.519Z

Link: CVE-2026-41381

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:41.097

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses