Vulnerability Description
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.3.24 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbPatch
- https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741ePatch
- https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789ExploitMitigationVendor Advisory
- https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83ExploitMitigationVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-missing-authorization-in-send-and-Third Party Advisory
FAQ
What is CVE-2026-35620?
CVE-2026-35620 is a vulnerability with a CVSS score of 5.4 (MEDIUM). OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owne...
How severe is CVE-2026-35620?
CVE-2026-35620 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35620?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.