GHSA-pr66-whqj-rq5p: Duplicate Advisory: OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6336-qqw9-v6x6. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.
References
- github.com/advisories/GHSA-pr66-whqj-rq5p
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/8c83128fc38d5a3642b8ccbea58550755fdbbbaf
- github.com/openclaw/openclaw/security/advisories/GHSA-6336-qqw9-v6x6
- nvd.nist.gov/vuln/detail/CVE-2026-41341
- www.vulncheck.com/advisories/openclaw-component-interaction-misclassification-in-discord-extension
Code Behaviors & Features
Detect and mitigate GHSA-pr66-whqj-rq5p with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →