Primary

Context

OpenClaw Missing Owner Flag Validation in Discord Voice Transcript Handler

Vulnerability

A vulnerability exists in OpenClaw versions prior to 2026.3.2, where the senderIsOwner flag is not properly validated when processing Discord voice transcripts through the agentCommand function. This oversight causes the flag to default to true, allowing non-owner voice participants to access owner-only tools such as gateway and cron functionalities in mixed-trust channels.

Impact

Exploitation of this vulnerability could lead to unauthorized access to owner-only tools within the Discord voice environment, particularly in channels where trust is mixed and participants are not all owners.

Remediation

Users are advised to update to OpenClaw version 2026.3.2 or later, and to ensure that the senderIsOwner flag is explicitly passed during Discord voice transcript processing. Additionally, implement regression tests to verify correct handling of owner and non-owner voice participants.

Added: Mar 19, 2026, 10:31 PM

Updated: Mar 19, 2026, 10:31 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.6

remediation

0.0

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.6

remediation

0.0

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Missing Owner Flag Validation in Discord Voice Transcript Handler

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating