OpenClaw Discord Component Misclassification Vulnerability

A logic error has been identified in OpenClaw versions prior to 2026.3.31, within the Discord component's interaction routing. This error misclassifies group direct messages as regular direct messages, leading to potential bypassing of group DM policy enforcement and causing incorrect session handling. The vulnerability arises from how the application processes and routes component interactions, particularly in managing the distinctions between different types of messages and their associated policies.

Impact

Exploitation of this vulnerability allows for the misclassification of group direct messages, which can bypass group DM policy enforcement and disrupt normal session handling.

Reproduction

To reproduce this vulnerability, initiate a group direct message interaction within the Discord component of OpenClaw version 2026.3.24 or earlier. The system will incorrectly classify this as a standard direct message, allowing the interaction to bypass group DM policies and potentially leading to improper session management.

Remediation

Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been fixed.