PT-2026-31766 · Openclaw · Openclaw
Tdjackey
·
Published
2026-04-09
·
Updated
2026-04-10
·
CVE-2026-35631
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.22
Description
OpenClaw versions prior to 2026.3.22 do not properly enforce operator.admin scope on mutating internal ACP chat commands, which allows unauthorized modifications. Attackers without admin privileges can bypass authorization gates by directly invoking affected ACP commands to execute mutating control-plane actions.
Recommendations
Update to version 2026.3.22 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw