CVE-2026-35637
Authorization Bypass in OpenClaw Allows Premature Content Access
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.22. The software performs cite expansion before completing channel and direct message (DM) authorization checks. This means that content and cite work can be handled before the system has finalized authorization decisions.
Attackers can exploit this timing flaw to access or manipulate content before proper authorization validation occurs.
How can this vulnerability impact me? :
The vulnerability allows attackers to access or manipulate content without proper authorization. This can lead to unauthorized disclosure, modification, or misuse of sensitive information or content handled by OpenClaw.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenClaw allows attackers to access or manipulate content before proper authorization validation occurs. This premature access could lead to unauthorized disclosure or alteration of sensitive data.
Such unauthorized access or manipulation of data may impact compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Therefore, exploitation of this vulnerability could result in violations of these standards due to failure to enforce proper authorization before data handling.