CVE-2026-35621 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: April 13, 2026
OpenClaw - Privilege Escalation
Published: April 10, 2026Updated: April 13, 2026PoC AvailableRemote Exploitable
Overview
OpenClaw before 2026.3.24 contains a privilege escalation vulnerability caused by /allowlist command failing to re-validate gateway client scopes for internal callers, letting operator.write-scoped clients mutate channel authorization policy, exploit requires attacker to use chat.send to build internal command-authorized context.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Attackers can escalate privileges to modify channel authorization policies reserved for higher scopes, compromising access control.
Mitigation
Update to version 2026.3.24 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-35621
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N