PT-2026-25497 · Npm · Openclaw

Published

2026-03-03

·

Updated

2026-03-03

CVSS v4.0

5.8

Medium

VectorAV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Summary

In openclaw@2026.3.1, the Discord voice transcript path called agentCommand(...) without senderIsOwner, and agentCommand defaults missing senderIsOwner to true.
This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (gateway, cron) during voice transcript turns.

Security model note

OpenClaw’s documented trust model is a personal assistant model (one trusted operator), not an adversarial multi-user boundary.
  • OpenClaw does not treat one shared gateway/chat surface as a hardened per-user auth boundary.
  • Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries.
This report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress.

Details

Relevant path:
  1. Voice transcript run omitted senderIsOwner in Discord voice manager.
  2. Missing senderIsOwner defaulted to true in agentCommand.
  3. Owner-only tool policy is keyed on senderIsOwner.
  4. gateway and cron are owner-only tools.

Impact

  • Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants.
  • No gateway-auth boundary bypass was required.
  • Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended).

Severity rationale

Downgraded from high to medium to align with OpenClaw’s trust model and deployment assumptions:
  • Requires participation in the same voice environment as the trusted operator workflow.
  • Requires Discord voice path conditions (joined voice channel + transcript flow).
  • Does not introduce a new cross-gateway or unauthenticated boundary bypass.

Remediation

  • Always pass explicit senderIsOwner from Discord voice transcript ingress.
  • Fail closed (false) when owner status is unknown for non-local/chat ingress paths.
  • Keep regression tests that verify owner/non-owner voice speaker handling.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.3.1
  • Patched versions: >= 2026.3.2 (released)

Fix

Incorrect Authorization

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-269

Related Identifiers

GHSA-WPG9-4G4V-F9RC

Affected Products

Openclaw