CVE-2026-41374

MEDIUM CVSS 5.3 View on NVD ↗

Description

OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthenticated attackers to consume resources. Remote attackers can trigger audio preflight processing without member allowlist validation to cause resource exhaustion.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

https://github.com/openclaw/openclaw/commit/ee52f64226a03efadfdf1e3b759e13424a3d4e41
https://github.com/openclaw/openclaw/security/advisories/GHSA-hhff-fj5f-qg48
https://www.vulncheck.com/advisories/openclaw-resource-consumption-via-discord-audio-preflight-before-member-authorization

Published: Apr 28, 2026 19:37 UTC Modified: Apr 28, 2026 20:10 UTC