Medium severity5.9NVD Advisory· Published Mar 19, 2026· Updated Apr 20, 2026

CVE-2026-32035

Description

OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in mixed-trust channels.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
openclawnpm	< 2026.3.2	2026.3.2

Affected products

OpenClaw/Openclaw
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Range: <2026.3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-wpg9-4g4v-f9rcghsaADVISORY
github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rcnvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-32035ghsaADVISORY
www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handlernvdThird Party AdvisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000