CVE-2026-35638
published 2026-04-09CVE-2026-35638: OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.29%
20.5th percentile
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.3.22 | 2026.3.22 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
OpenClaw up to 2026.3.21 incorrect user management (GHSA-48vw-m3qc-wr99)
vuldb·2026-04-10·CVSS 8.7
CVE-2026-35638 [HIGH] OpenClaw up to 2026.3.21 incorrect user management (GHSA-48vw-m3qc-wr99)
A vulnerability was found in OpenClaw up to 2026.3.21 and classified as critical. The affected element is an unknown function. Such manipulation leads to incorrect user management.
This vulnerability is referenced as CVE-2026-35638. It is possible to launch the attack remotely. No exploit is available.
It is suggested to upgrade the affected component.
GHSA
GHSA-q49f-7fgv-7hx8: OpenClaw before 2026
ghsa_unreviewed·2026-04-10
CVE-2026-35638 [HIGH] CWE-286 GHSA-q49f-7fgv-7hx8: OpenClaw before 2026
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9ehttps://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-self-declared-scopes-in-trusted-proxy-control-ui
2026-04-09
Published