CVE-2026-35652
Authorization Bypass in OpenClaw Callback Dispatch Enables Unauthorized Actions
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35652 is an authorization bypass vulnerability in OpenClaw versions before 2026.3.22. It occurs in the interactive callback dispatch mechanism, where action handlers are executed before completing normal sender authorization checks.
This flaw allows attackers who are not on the allowlist to dispatch callbacks prematurely, bypassing security validation and enabling unauthorized actions to be executed.
The vulnerability was fixed by enforcing authorization checks before dispatching callbacks and by tightening verification of inbound callbacks and sender allowlists across multiple integrations such as Mattermost and Google Chat.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to execute actions within OpenClaw integrations without proper permission.
- Attackers can bypass sender authorization checks and perform unauthorized operations.
- It requires no privileges or user interaction, making exploitation easier.
- Potential impacts include unauthorized command execution, manipulation of interactive actions, and possible disruption or misuse of integrated communication platforms.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-35652 vulnerability, immediately upgrade OpenClaw to version 2026.3.22 or later, as these versions contain patches that enforce proper authorization checks before dispatching callbacks.
- Apply the patch that enforces callback authorization prior to action dispatch, which fixes the premature execution of action handlers.
- Ensure that the Mattermost integration includes the new authorization step for button click interactions to block unauthorized actions.
- Verify that inbound callback and webhook sender checks are tightened, especially for Mattermost and Google Chat integrations.
- Confirm that Google Chat request verification includes email verification, issuer validation, and add-on principal binding checks.
These steps collectively prevent unauthorized sender actions by enforcing stricter identity and allowlist checks, reducing the risk of unauthorized command execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how CVE-2026-35652 impacts compliance with common standards and regulations such as GDPR or HIPAA.