Compliance Impact

The vulnerability allows lower-privileged clients with operator.write scope to escalate privileges and persistently modify channel authorization policies that should be restricted to operator.admin scope.

This improper privilege management (CWE-269) can weaken access controls and potentially lead to unauthorized access or modification of sensitive data or communication channels.

Such unauthorized privilege escalation and access control failures could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35621 is a privilege escalation vulnerability in OpenClaw versions before 2026.3.24. It occurs because the /allowlist command fails to properly re-validate gateway client scopes for internal callers. This flaw allows clients with the operator.write scope to indirectly modify channel authorization policies that should only be changed by clients with the higher-privilege operator.admin scope.

Specifically, the chat.send action, accessible to operator.write scoped clients, creates an internal command-authorized context. Through this context, an attacker can persistently change channel allowFrom and groupAllowFrom policies, which control who is authorized on channels. The vulnerability arises from a missing sink-side internal admin check in the /allowlist command, unlike other commands such as /config and /plugins that enforce stricter admin checks.

This results in a control-plane mismatch where lower-privileged users can make persistent administrative changes, weakening the intended privilege separation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with operator.write privileges to escalate their privileges and persistently modify channel authorization policies that should be restricted to operator.admin users.

As a result, unauthorized users can widen direct message or group allowlists, effectively granting themselves or others unauthorized access to channels.

This undermines the security controls designed to separate write-level actions from administrative-level persistent authorization changes, potentially leading to unauthorized access and control over communication channels.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying whether unauthorized persistent changes to channel authorization policies have been made by clients with only operator.write scope. Since the vulnerability allows such clients to mutate channel allowFrom and groupAllowFrom policies via the /allowlist command through chat.send, monitoring for unexpected modifications to these policies is key.

Commands to detect exploitation might include reviewing logs or audit trails for calls to chat.send that result in /allowlist add or remove commands, especially those originating from clients without operator.admin scope.

Specific commands are not provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaw to version 2026.3.24 or later, where the vulnerability has been fixed by adding the missing sink-side internal admin check to the /allowlist command.

Until the upgrade can be applied, restrict access to clients with operator.write scope from executing the /allowlist command or limit their ability to use chat.send to prevent unauthorized persistent changes.

Maintain existing policy checks on config writes and pairing-store behavior as secondary controls, but do not rely on them alone to enforce privilege boundaries.

Useful 0 Not Useful 0