CVE-2026-32028: OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
(updated )
In OpenClaw <= 2026.2.24, Discord direct-message reaction notifications did not consistently apply the same DM authorization checks (dmPolicy / allowFrom) that are enforced for normal DM message ingress.
In restrictive DM setups, a non-allowlisted Discord user who can react to a bot-authored DM message could still enqueue a reaction-derived system event in the session.
This is a reaction-only ingress inconsistency. By itself it does not directly execute commands; practical impact depends on downstream automation/tool policy.
References
- github.com/advisories/GHSA-354r-7mfh-7rh2
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e
- github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2
- nvd.nist.gov/vuln/detail/CVE-2026-32028
- www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress
Code Behaviors & Features
Detect and mitigate CVE-2026-32028 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →