CVE-2026-27484 – OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

CVE ID : CVE-2026-27484

Published : Feb. 21, 2026, 10:16 a.m. | 48 minutes ago

Description : OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.

Severity: 2.3 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…