CVE-2026-35642
Received Received - Intake
Authorization Bypass in OpenClaw Group Reaction Events Allows Privilege Escalation

Publication date: 2026-04-09

Last updated on: 2026-04-15

Assigner: VulnCheck

Description
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35642
EUVD
EUVD-2026-21138
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenClaw versions before 2026.3.25 and involves an authorization bypass. Specifically, group reaction events bypass the requireMention access control mechanism, allowing attackers to trigger reactions in mention-gated groups. This enables them to enqueue agent-visible system events that should normally be restricted.

Impact Analysis

The impact of this vulnerability is that attackers with limited privileges can bypass access controls to trigger system events that are supposed to be restricted. This could lead to unauthorized actions or visibility of system events, potentially undermining the security and integrity of the affected system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35642. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart