CVE-2026-32028

low-risk
Published 2026-03-19

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM messages to bypass DM authorization restrictions and trigger downstream automation or tool policies.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Openclaw

References (3)

Patch https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b1...
Vendor Advisory https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2
Third Party Advisory https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-dis...
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal