Description
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to restricted voice channels.
Published: 2026-04-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Authorization Bypass for Restricted Voice Channels
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.31 contain an authorization bypass that lets attackers ignore channel and member allowlists by exploiting stale role validation and inadequate channel name checks. This enables an attacker to join restricted voice channels, as stated in the CVE. No explicit mention of audio data interception, injection, or manipulation is provided in the CVE. Based on the nature of voice channel access, it is inferred that unauthorized participation could lead to eavesdropping, but this is not explicitly detailed.

Affected Systems

All deployments of OpenClaw before the 2026.3.31 release, including any installations that have not applied the latest 2026.3.31 patch, are potentially vulnerable. The issue affects the Discord voice ingestion component used by OpenClaw to receive incoming voice streams.

Risk and Exploitability

The CVSS score of 2.3 places this vulnerability in the low severity range, and there is no EPSS score available, suggesting no known widespread exploitation. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to access a Discord integration and craft a voice stream that triggers the vulnerable ingestion endpoint, as the logic involves channel‑and‑role validation. The vulnerability appears remotely exploitable and does not require local privileges.

Generated by OpenCVE AI on April 29, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later.
  • Review and prune Discord roles and channel permissions to eliminate stale roles that could bypass allowlists.
  • If immediate upgrade is not possible, disable or restrict external Discord voice ingestion until the patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to restricted voice channels.
Title OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T13:33:15.047Z

Reserved: 2026-04-20T14:12:09.519Z

Link: CVE-2026-41382

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:41.230

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses