Main Vulnerability Database Vulnerabilities #VU132721

Authentication Bypass by Spoofing in OpenClaw - #VU132721

Published: May 29, 2026

Vulnerability identifier: #VU132721

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-290

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to gain agent access intended for another Discord identity.

The vulnerability exists due to authentication bypass by spoofing in the Discord allowFrom feature when matching policy entries against mutable display or global name metadata. A remote user can change Discord display metadata to gain agent access intended for another Discord identity.

Exploitation requires the affected feature to be enabled and reachable, and practical impact depends on the operator's configuration and whether lower-trust input can reach that path.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-cw4q-gqg5-g38h

Authentication Bypass by Spoofing in OpenClaw - #VU132721

Detailed vulnerability description

Remediation

Sources

Please verify you're human