OpenClaw Access Control Bypass Vulnerability in Discord Voice Manager

A vulnerability allowing access control bypass has been identified in OpenClaw versions prior to 2026.3.31. This issue resides within the Discord voice manager, where channel-level member access allowlist restrictions can be circumvented. Attackers are able to send voice ingress requests to Discord channels before the allowlist authorization is completed, thereby gaining unauthorized access to restricted voice channels.

Impact

Exploitation of this vulnerability allows for unauthorized access to voice channels that are supposed to be restricted, bypassing the channel-level member access allowlist.

Reproduction

The vulnerability can be reproduced by sending Discord voice ingress requests to a channel that has member access restrictions in place. If the request is sent before the channel allowlist authorization is completed, access will be granted to the restricted voice channel. This can be done by manipulating the timing of the voice ingress requests in relation to the allowlist authorization process.

Remediation

Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been patched.