CVE-2026-35648
Received Received - Intake
Policy Bypass in OpenClaw Node Actions Enables Unauthorized Commands

Publication date: 2026-04-10

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35648
EUVD
EUVD-2026-21442
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35648 is a policy bypass vulnerability in OpenClaw versions before 2026.3.22. It occurs because queued node actions are not revalidated against the current command policy when they are delivered to a node. This means that commands that were allowed when queued but later disallowed due to policy tightening can still be executed, allowing attackers to exploit stale allowlists or declarations to run unauthorized commands.

The vulnerability is related to a Time-of-check Time-of-use (TOCTOU) race condition where the system fails to check the validity of queued commands at the time of execution, leading to potential unauthorized actions.

Impact Analysis

This vulnerability can allow attackers to execute unauthorized commands on nodes managed by OpenClaw by exploiting commands that were previously allowed but have since been disallowed by updated policies. This can lead to execution of harmful or disallowed actions that bypass current security controls.

Because queued actions are not revalidated at delivery time, the system's security policies can be effectively bypassed, increasing the risk of unauthorized access or control over affected nodes.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-35648, you should update OpenClaw to version 2026.3.22 or later, where the issue has been fixed.

The fix involves revalidating queued node actions against the current command policy at the time of delivery, ensuring that any commands no longer allowed by the updated policy are dropped and not executed.

  • Apply the patch or upgrade to OpenClaw 2026.3.22 or newer.
  • Verify that your system uses the updated code that includes the function `resolveAllowedPendingNodeActions` to filter pending node actions.
  • Run regression tests similar to those added in the fix to confirm that disallowed queued actions are properly dropped.
Compliance Impact

The vulnerability in OpenClaw allows unauthorized commands to be executed due to queued node actions not being revalidated against the current command policy. This could potentially lead to unauthorized access or actions within a system.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the presence of unauthorized command execution could imply risks related to data integrity and security controls required by such regulations.

The fix introduced ensures that queued actions are revalidated against the current policy before execution, which strengthens enforcement of security policies and reduces the risk of unauthorized actions, thereby supporting compliance with security requirements common in standards like GDPR and HIPAA.

Detection Guidance

This vulnerability involves queued node actions in OpenClaw not being revalidated against the current command policy when delivered, allowing unauthorized commands to execute if stale allowlists persist.

To detect exploitation or presence of this vulnerability on your system, you should monitor queued node actions and verify whether they are being revalidated against the current command policy before execution.

Specifically, you can check the pending node actions queue and compare the commands in the queue against the current allowlist or declared commands for each node. If commands that should be disallowed are still queued or executed, this indicates the vulnerability is present.

Since the fix involves the function `resolveAllowedPendingNodeActions` filtering queued actions at delivery time, you can audit your OpenClaw version and confirm whether this function or equivalent revalidation logic is in place.

Regarding commands, while no explicit detection commands are provided in the resources, you can use OpenClaw's administrative or debugging interfaces to list pending node actions and their associated commands, then cross-check these against the current node command allowlist.

For example, if you have access to the OpenClaw server environment, you might run commands or scripts that invoke the listing of pending actions and verify their commands against the current policy. This could be done by inspecting logs or using OpenClaw's API or CLI tools if available.

If you observe queued commands such as "camera.snap" or "canvas.navigate" that have been removed from the allowlist but are still executed or delivered, this indicates the vulnerability is exploitable on your system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart