GHSA-9vvh-2768-c8vp: OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists

March 13, 2026

In affected versions of openclaw, Discord reaction ingestion for guild channels did not enforce the same member users and roles allowlist checks used for normal inbound guild messages. A non-allowlisted guild member could still trigger reaction events that were accepted and queued as trusted system events for the target session.

References

github.com/advisories/GHSA-9vvh-2768-c8vp
github.com/openclaw/openclaw
github.com/openclaw/openclaw/releases/tag/v2026.3.11
github.com/openclaw/openclaw/security/advisories/GHSA-9vvh-2768-c8vp

Code Behaviors & Features

Detect and mitigate GHSA-9vvh-2768-c8vp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →