OpenClaw Discord Event Cover Image Normalization Bypass Vulnerability

A vulnerability exists in OpenClaw versions 2026.4.7 prior to 2026.4.10, where the media normalization process for Discord event cover images is inadequate. This flaw allows attackers to inject references to local media into channels, bypassing the intended normalization and potentially disrupting channel actions that rely on standardized media handling.

Impact

Exploitation of this vulnerability could lead to improper handling of media references in Discord channel actions, allowing host-local media to be injected where normalized media is expected.

Reproduction

To reproduce this vulnerability, create a Discord event and include a cover image parameter that references a local file URL. When the event is processed, the lack of proper normalization will allow the local media reference to bypass sandbox restrictions and reach the channel action path.

Remediation

Users are advised to upgrade to OpenClaw version 2026.4.10 or later. The latest version available on npm, 2026.4.14, includes the necessary fix.