{"data":{"id":"adae87d2-0b3e-4abc-b8a5-599bc3fb08c3","title":"GHSA-wh94-p5m6-mr7j: OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows","summary":"OpenClaw, a Discord moderation bot package, had a security flaw where moderation actions like timeout, kick, and ban used untrusted sender identity from user requests instead of verified system context, allowing non-admin users to spoof their identity and perform these actions. The vulnerability affected all versions up to 2026.2.17 and was fixed in version 2026.2.18.","solution":"Moderation authorization was updated to use trusted sender context (requesterSenderId) instead of untrusted action parameters, and permission checks were added to verify the bot has required guild capabilities for each action. Update to version 2026.2.18 or later.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-wh94-p5m6-mr7j","publishedAt":"2026-02-20T21:02:31.000Z","cveId":"CVE-2026-27484","cweIds":null,"cvssScore":null,"cvssSeverity":"low","severity":"low","attackType":[],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.2.18 (fixed: 2026.2.18)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00024,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}