CVE-2026-35648
LOW
NVD
CVSS Score
3.7
Severity
LOW
Published
Apr 10, 2026
Vendor
unknown
Description
OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.
References
- https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
- https://github.com/openclaw/openclaw/commit/ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2
- https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564
- https://www.vulncheck.com/advisories/openclaw-policy-bypass-via-unvalidated-queued-node-actions