Vulnerability DatabaseCVE-2026-35631
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-35631
Published:April 09, 2026
Updated:April 29, 2026
OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates.
Affected Packages
https://github.com/openclaw/openclaw.git (GITHUB):
Affected version(s) >=v0.1.0 <2026.3.22
Fix Suggestion:
Update to version 2026.3.22
openclaw (NPM):
Affected version(s) >=0.0.1 <2026.3.22
Fix Suggestion:
Update to version 2026.3.22
Related Resources (4)
https://github.com/openclaw/openclaw/security/advisories/GHSA-3w6x-gv34-mqpf
https://www.vulncheck.com/advisories/openclaw-missing-authorization-enforcement-in-internal-acp-chat-commands
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
https://github.com/openclaw/openclaw/commit/229426a257e49694a59fa4e3895861d02a4d767f
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Missing Authorization
CWE-862
EPSS
Base Score:
0.03