GHSA-wpg9-4g4v-f9rc: OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels

March 3, 2026

In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(...) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true.

This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.

References

github.com/advisories/GHSA-wpg9-4g4v-f9rc
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc

Code Behaviors & Features

Detect and mitigate GHSA-wpg9-4g4v-f9rc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →