Description

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.

INFO

Published Date :

2026-02-21T09:21:16.568Z

Last Modified :

2026-02-21T09:21:16.568Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27484 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27484.

URL Resource
https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609e32d cve-icon cve-icon
https://github.com/openclaw/openclaw/releases/tag/v2026.2.19 cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability