@openclaw/discord 2026.3.2

Direct Vulnerabilities

Known vulnerabilities in the @openclaw/discord package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Incomplete List of Disallowed Inputs @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the `validateScriptFileForShellBleed` process. An attacker can execute unauthorized script content by crafting piped, substituted, or subshell commands that bypass validation checks. How to fix Incomplete List of Disallowed Inputs? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Allocation of Resources Without Limits or Throttling @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the `Discord audio preflight transcription` process occurring before member authorization. An attacker can cause excessive resource consumption by sending unauthorized requests that trigger this process. How to fix Allocation of Resources Without Limits or Throttling? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Incorrect Authorization @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the Discord voice ingress process. An attacker can gain unauthorized access to voice channels by bypassing the channel-level member access allowlist. How to fix Incorrect Authorization? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Incorrect Authorization @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the Discord slash and autocomplete command handling process. An attacker can gain unauthorized access to group DM channels by bypassing the allowlist restriction using native Discord slash or autocomplete commands. This is only exploitable if the attacker is an already-authorized Discord user. How to fix Incorrect Authorization? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Incorrect Authorization @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the process that handles Discord component interactions, which incorrectly classifies Group Direct Messages as standard Direct Messages. An attacker can cause policy or session misclassification by sending crafted component interactions in a Group DM context. How to fix Incorrect Authorization? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
L Missing Authorization @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Missing Authorization in the Discord voice ingress authorization process. An attacker can gain unauthorized access to restricted voice channels by exploiting gaps in channel, name, and stale-role validation. How to fix Missing Authorization? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
H Incorrect Authorization @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the `approve` command in Discord integration. An attacker can gain unauthorized approval of pending host executions by issuing the command without being included in the approver allowlist. How to fix Incorrect Authorization? A fix was pushed into the `master` branch but not yet published.	>=0.0.0
M Missing Authorization @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Missing Authorization in the `extensions/discord/src/monitor/agent-components.ts` process. An attacker can bypass intended access restrictions by triggering privileged component actions from unauthorized Discord channel contexts. How to fix Missing Authorization? A fix was pushed into the `master` branch but not yet published.	>=2026.2.14

Vulnerability

Vulnerable Version

Incomplete List of Disallowed Inputs

@openclaw/discord is an OpenClaw Discord channel plugin

Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the validateScriptFileForShellBleed process. An attacker can execute unauthorized script content by crafting piped, substituted, or subshell commands that bypass validation checks.

How to fix Incomplete List of Disallowed Inputs?