OpenClaw Discord Moderation Action Authorization Vulnerability Allowing Privilege Escalation

A vulnerability in OpenClaw's Discord integration allows non-admin users to manipulate moderation actions such as timeouts, kicks, and bans. This issue is present in versions through 2026.2.17. The vulnerability arises because the application relied on untrusted sender identity parameters for moderation actions in tool-driven flows, rather than using a secure, runtime sender context. As a result, users could spoof sender identities to request moderation actions.

Impact

Exploitation of this vulnerability could lead to unauthorized moderation actions being performed, such as kicking or banning users, or applying timeouts, thereby disrupting normal server management and potentially causing harm to users' experiences.

Reproduction

To reproduce this vulnerability, a non-admin user must send a request that includes spoofed sender identity fields, targeting a moderation action like timeout, kick, or ban. The request should be sent in a tool-driven flow where the bot has the necessary permissions to perform the moderation action.

Remediation

Users can update to OpenClaw version 2026.2.18 or later, where this vulnerability has been fixed.