OpenClaw CVE-2026-41303
HIGH
GHSA-98hh-7ghg-x6rq
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host execution requests.
AnalysisAI
Authorization bypass in OpenClaw before 2026.3.28 allows authenticated Discord users to approve pending host execution requests without proper privileges. Attackers with low-privileged Discord accounts can bypass the execApprovals.approvers allowlist by sending crafted Discord text commands, gaining unauthorized approval authority for exec requests. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
24 hours: Disable or restrict Discord bot execution approval commands in OpenClaw environments; audit recent approval request logs for unauthorized approvals. 7 days: Contact OpenClaw vendor for patch availability and estimated release timeline; implement network segmentation to limit Discord bot access to critical host execution endpoints. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today