CVE-2026-32035: OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels

March 3, 2026 (updated March 19, 2026)

In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(...) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true.

This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.

References

github.com/advisories/GHSA-wpg9-4g4v-f9rc
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc
nvd.nist.gov/vuln/detail/CVE-2026-32035

Code Behaviors & Features

Detect and mitigate CVE-2026-32035 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →