PT-2026-32075 · Npm · Openclaw
Published
2026-03-31
·
Updated
2026-03-31
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
Summary
Discord button and component interaction ingress did not consistently reapply the same guild and channel policy gates used for normal inbound messages.
Impact
Users could trigger privileged component actions from contexts that should have been blocked by Discord channel policy.
Affected Component
extensions/discord/src/monitor/agent-components.tsFixed Versions
- Affected:
>= 2026.2.14, <= 2026.3.24 - Patched:
>= 2026.3.28 - Latest stable
2026.3.28contains the fix.
Fix
Fixed by commit
511093d4b3 (Discord: apply component interaction policy gates).Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw