PT-2026-32075 — Missing Authorization em Npm Openclaw

PT-2026-32075 · Npm · Openclaw

Publicado

2026-03-31

Atualizado

2026-03-31

CVSS v4.0

5.3

Média

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Summary

Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages.

Impact

Users could trigger privileged component actions from contexts that should have been blocked by Discord channel policy.

Affected Component

extensions/discord/src/monitor/agent-components.ts

Fixed Versions

Affected: >= 2026.2.14, <= 2026.3.24
Patched: >= 2026.3.28
Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 511093d4b3 (Discord: apply component interaction policy gates).

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

GHSA-JP4J-Q5FC-58GV

Produtos afetados

Openclaw