Compliance Impact

The provided information does not explicitly address how CVE-2026-35655 affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35655 is an identity spoofing vulnerability in OpenClaw versions before 2026.3.22 that affects the ACP (Access Control Policy) permission resolution process.

The vulnerability occurs because the system trusts conflicting tool identity hints coming from rawInput parameters and metadata. Attackers can exploit this by spoofing tool identities through rawInput inputs, which allows them to suppress prompts that warn users about dangerous tools.

This means that attackers can bypass security restrictions by making the system believe a dangerous tool is safe, leading to unauthorized or harmful actions.

The root causes include reliance on untrusted inputs in security decisions (CWE-807) and incorrect authorization checks (CWE-863). The issue was fixed by enforcing a fail-closed behavior when conflicting tool identity hints are detected, denying access rather than trusting spoofable inputs.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to spoof tool identities and suppress security prompts designed to warn users about dangerous tools.

As a result, attackers may bypass security restrictions and execute unauthorized or harmful actions within the OpenClaw environment.

This could lead to increased risk of exploitation, unauthorized access, or execution of dangerous commands without user awareness.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-35655 vulnerability, you should upgrade OpenClaw to version 2026.3.22 or later, where the issue has been fixed.

The fix involves changes that enforce strict validation of tool identity hints in the ACP permission resolution process, causing the system to fail closed when conflicting tool identity hints are detected. This prevents attackers from spoofing tool identities via rawInput parameters and suppressing dangerous-tool prompts.

Ensure that your deployment uses the patched versions (2026.3.22, 2026.3.23, or 2026.3.23-2) and verify that the security improvements related to tool identity verification are in place.

Useful 0 Not Useful 0

Detection Guidance

There is no specific information provided in the available resources about direct detection methods or commands to identify exploitation of CVE-2026-35655 on a network or system.

However, since the vulnerability involves spoofing tool identities through rawInput parameters in OpenClaw versions prior to 2026.3.22, detection efforts could focus on monitoring or auditing the ACP permission resolution process for conflicting tool identity hints or unexpected rawInput values.

To detect if a vulnerable version is in use, you can check the installed OpenClaw version and verify if it is older than 2026.3.22, which contains the fix.

No explicit commands or scripts are provided in the resources for detection or exploitation attempts.

Useful 0 Not Useful 0