Authorization Bypass in OpenClaw Affects Security of Action Handlers
CVE-2026-35652

6.9MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-35652?

OpenClaw versions prior to 2026.3.22 contain a significant authorization bypass flaw within its interactive callback dispatch mechanism. This vulnerability permits attackers to circumvent sender authorization checks, allowing non-allowlisted senders to execute action handlers before the usual security validations are completed. As a result, unauthorized actions can be performed, potentially compromising the integrity and security of the application. Users are advised to update to the latest version to mitigate this risk.

Affected Version(s)

OpenClaw 0 < 2026.3.22

OpenClaw 2026.3.22

References

https://github.com/openclaw/openclaw/security/advisories/...

third-party-advisory

https://github.com/openclaw/openclaw/commit/630f1479c44f7...

patch

https://github.com/openclaw/openclaw/commit/a47722de7e3c9...

patch

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 4, 2026

Credit

Peng Zhou (@zpbrent)

CVE-2026-35652 Data

JSON

Openclaw

What is CVE-2026-35652?

Affected Version(s)

References

CVSS V4

Timeline

Credit