![[openclaw] OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows](/assets/images/github_com_1771632186614.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 10
[openclaw] OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
By GitHub2026๋
2์ 21์ผ
**[openclaw] OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows**
Overview Discord moderation action handling (timeout, kick, ban) used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. Impact In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user could request moderation actions by spoofing sender identity fields. Affected Packages / Versions Package: openclaw (npm) Latest published affected version (as of 2026-02-19): 2026.2.17 Affected range: <=2026.2.17 Fixed in planned next release: 2026.2.18 Fix Moderation authorization now uses trusted sender context (requesterSenderId) instead of untrusted action params. Added permission checks for required guild capabilities per action. Fix Commit(s) 775816035ecc6bb243843f8000c9a58ff609e32d Thanks @aether-ai-agent for reporting...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Overview Discord moderation action handling (timeout, kick, ban) used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. Impact In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user could request moderation actions by spoofing sender identity fields. Affected Packages / Versions Package: openclaw (npm) Latest published affected version (as of 2026-02-19): 2026.2.17 Affected range: <=2026.2.17 Fixed in planned next release: 2026.2.18 Fix Moderation authorization now uses trusted sender context (requesterSenderId) instead of untrusted action params. Added permission checks for required guild capabilities per action. Fix Commit(s) 775816035ecc6bb243843f8000c9a58ff609e32d Thanks @aether-ai-agent for reporting...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.