PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35674 OpenClaw CVE debrief

A scope bypass vulnerability in OpenClaw before 2026.5.18 allows attackers with operator.write scope to execute privileged commands through the Gateway chat.send route. The vulnerability stems from improper authorization checks when scoped clients deliver commands through inherited external routes, bypassing required operator.approvals and operator.admin scope validations. This enables unauthorized mutations to plugins, configuration, MCP (Model Context Protocol), allowlists, and ACP (Access Control Policy) settings. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and high impacts to confidentiality, integrity, and availability. The weakness is classified as CWE-863 (Incorrect Authorization). The vulnerability was disclosed via GitHub Security Advisory and Vulncheck advisory, with NVD status currently Undergoing Analysis.

Vendor
OpenClaw
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running OpenClaw Gateway versions prior to 2026.5.18 with multi-tenant or scoped access configurations, particularly those using operator.write scope for automated clients or third-party integrations. Security teams should prioritize patching due to the high impact on integrity and availability of gateway-managed resources.

Technical summary

OpenClaw Gateway's chat.send route fails to properly validate scope requirements when processing commands from inherited external routes. Clients authenticated with operator.write scope can submit commands that should require operator.approvals or operator.admin scope, due to missing authorization boundary checks. The route inheritance mechanism propagates insufficient scope validation, allowing write operations on sensitive subsystems including plugin management, system configuration, Model Context Protocol handlers, allowlist modifications, and Access Control Policy changes. The vulnerability is remotely exploitable with low complexity once operator.write credentials are obtained.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade OpenClaw to version 2026.5.18 or later
  • Review and audit all operator.write scoped client activities for unauthorized privileged command execution
  • Implement additional authorization checks on inherited external routes in Gateway configurations
  • Monitor for unauthorized plugin, config, MCP, allowlist, and ACP mutations in audit logs
  • Validate scope inheritance patterns in custom route implementations
  • Apply principle of least privilege by restricting operator.write scope assignments
  • Review GitHub Security Advisory GHSA-hw9r-h9mr-4jff for vendor-provided mitigation guidance

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-hw9r-h9mr-4jff and Vulncheck advisory. NVD entry published 2026-05-29 with status Undergoing Analysis. CVSS 4.0 score 8.7 (HIGH). Affected versions: OpenClaw before 2026.5.18.

Official resources

2026-05-29