CVE-2026-32035
OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels
描述
### Summary In `[email protected]`, the Discord voice transcript path called `agentCommand(...)` without `senderIsOwner`, and `agentCommand` defaults missing `senderIsOwner` to `true`. This could allow a non-owner voice participant in the same channel to reach owner-only tool surfaces (`gateway`, `cron`) during voice transcript turns. ### Security model note OpenClaw’s documented trust model is a **personal assistant** model (one trusted operator), not an adversarial multi-user boundary. - OpenClaw does **not** treat one shared gateway/chat surface as a hardened per-user auth boundary. - Mixed-trust deployments (mutually untrusted users sharing one gateway/channel) are outside recommended deployment boundaries. This report is treated as a valid hardening/authorization bug because owner-only tool policy should still be applied consistently across chat-driven turns, including Discord voice transcript ingress. ### Details Relevant path: 1. Voice transcript run omitted `senderIsOwner` in Discord voice manager. 2. Missing `senderIsOwner` defaulted to `true` in `agentCommand`. 3. Owner-only tool policy is keyed on `senderIsOwner`. 4. `gateway` and `cron` are owner-only tools. ### Impact - Affects deployments where Discord voice is enabled and the bot is present in channels with non-owner participants. - No gateway-auth boundary bypass was required. - Practical risk depends strongly on whether the deployment is single-trust (recommended) or mixed-trust (not recommended). ### Severity rationale Downgraded from high to **medium** to align with OpenClaw’s trust model and deployment assumptions: - Requires participation in the same voice environment as the trusted operator workflow. - Requires Discord voice path conditions (joined voice channel + transcript flow). - Does not introduce a new cross-gateway or unauthenticated boundary bypass. ### Remediation - Always pass explicit `senderIsOwner` from Discord voice transcript ingress. - Fail closed (`false`) when owner status is unknown for non-local/chat ingress paths. - Keep regression tests that verify owner/non-owner voice speaker handling. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.3.1` - Patched versions: `>= 2026.3.2` (released)
如何修補 CVE-2026-32035
要修補 CVE-2026-32035,請將受影響套件升級到下列已修補版本。
- —升級至 2026.3.2 或更新版本