Main Vulnerability Database Vulnerabilities #VU125141

#VU125141 Incorrect authorization in OpenClaw - CVE-2026-32923

Published: April 8, 2026

Vulnerability identifier: #VU125141

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32923

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote user to inject reaction text into downstream session context.

The vulnerability exists due to incorrect authorization in Discord guild reaction ingress when handling reaction events for guild channels. A remote user can send a reaction from a non-allowlisted guild member account to inject reaction text into downstream session context.

Accepted reactions are queued as trusted system events for the target session.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-9vvh-2768-c8vp

#VU125141 Incorrect authorization in OpenClaw - CVE-2026-32923

Description

Remediation

External links

Please verify you're human