OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthenticated attackers to consume resources. Remote attackers can trigger audio preflight processing without member allowlist validation to cause resource exhaustion.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XOpenclaw
APPOpenclaw< 2026.3.31
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
Related vulnerabilities
CVE-2026-43585CRITICAL9.2PL ✓ten sam produkt
OpenClaw: ominięcie uwierzytelniania przez nieodświeżane tokeny bearer po rotacji SecretRef
CVE-2026-43575CRITICAL9.2PL ✓ten sam produkt
OpenClaw: Authentication Bypass w trasie pomocniczej sandbox noVNC
CVE-2026-43578CRITICAL9.1PL ✓ten sam produkt
OpenClaw: privilege escalation przez pominięcie zdarzeń async exec w heartbeat
CVE-2026-43581CRITICAL9.0PL ✓ten sam produkt
OpenClaw: ekspozycja Chrome DevTools Protocol poza sandbox
CVE-2026-44109CRITICAL9.2PL ✓ten sam produkt
OpenClaw — Auth Bypass w walidacji Feishu webhook umożliwia RCE