CVE-2026-35620 - Vulnerability Analysis
MediumCVSS: 5.4Last Updated: April 13, 2026
OpenClaw - Broken Access Control
Published: April 10, 2026Updated: April 13, 2026PoC AvailableRemote Exploitable
Overview
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in /send and /allowlist chat command handlers, letting attackers with operator.write scope persistently mutate session policies and modify allowlist entries without admin authorization.
Severity & Score
Severity: Medium
CVSS Score: 5.4
Impact
Attackers can persistently change session delivery policies and modify allowlist configurations without proper admin rights, potentially compromising system integrity.
Mitigation
Update to version 2026.3.24 or later.
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83
- https://www.vulncheck.com/advisories/openclaw-missing-authorization-in-send-and-allowlist-chat-commands
- https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbed8b
- https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2
- https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63ca35
Related Resources
Details
- CVE ID
- CVE-2026-35620
- Severity
- Medium
- CVSS Score
- 5.4
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L