CVE-2026-27484

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.18

Description The software handles Discord moderation actions (timeout, kick, ban) using information from request parameters instead of a secure source. This allows a user without administrative privileges to potentially perform moderation actions by manipulating sender identity fields. The issue occurs when Discord moderation actions are enabled and the bot possesses the necessary permissions within a Discord server. The vulnerable component relies on request parameters to determine sender identity in tool-driven flows, rather than a trusted runtime context. The vulnerable parameters are related to sender identity within the request.

Recommendations Update to version 2026.2.18 or later to resolve the issue.