CVE-2026-32035 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in mixed-trust channels.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32035 affects OpenClaw versions prior to 2026.3.2 and represents a critical authorization flaw in the Discord voice transcript processing mechanism. This issue stems from the improper handling of the senderIsOwner flag within the agentCommand function, which is responsible for processing voice transcripts from Discord channels. The absence of proper flag validation creates a privilege escalation vector that allows unauthorized users to gain access to administrative functionalities that should be restricted to channel owners only.
The technical implementation flaw resides in the agentCommand function where the senderIsOwner flag is not being properly evaluated or passed during voice transcript processing operations. When voice transcripts are received from Discord channels, the system defaults to treating all participants as owners, effectively bypassing the intended access control mechanisms. This default assumption of ownership creates a dangerous condition where any user within a mixed-trust channel environment can execute privileged operations including gateway management and cron scheduling functions that are typically restricted to channel administrators.
The operational impact of this vulnerability extends beyond simple privilege escalation as it fundamentally undermines the trust model of mixed-channel environments. In scenarios where multiple users with varying permission levels interact within the same voice channel, non-owner participants can exploit this flaw to execute administrative commands that could compromise the entire system. The gateway functionality allows for network-level operations that could potentially redirect traffic or access sensitive system resources, while cron functionality enables scheduled task execution that could be used for persistent backdoor establishment or data exfiltration. This vulnerability directly aligns with CWE-284, which addresses improper access control, and represents a classic example of insufficient privilege checking in multi-user environments.
The attack surface becomes particularly concerning in environments where OpenClaw systems are integrated with Discord voice channels that contain both trusted administrators and less privileged users. The vulnerability enables what is known as a privilege escalation attack pattern, where an attacker with minimal privileges can elevate their access level to administrative status. This scenario maps directly to ATT&CK technique T1078 which covers valid accounts and privilege escalation through compromised credentials or flawed access controls. The mixed-trust nature of the vulnerability means that even users who should not have administrative access can gain full control over critical system functions, potentially leading to complete system compromise.
Mitigation strategies for this vulnerability should focus on immediate patching of affected OpenClaw installations to version 2026.3.2 or later, which includes proper implementation of the senderIsOwner flag validation. Organizations should also implement additional monitoring for unauthorized gateway and cron operations, particularly in mixed-trust channel environments. Network segmentation and access control policies should be reviewed to limit the impact of potential exploitation, while regular security audits should verify that all access control mechanisms are properly functioning. The fix should ensure that the senderIsOwner flag is explicitly validated and passed through the agentCommand processing pipeline, preventing the default assumption of ownership that currently exists in vulnerable versions.