CVE-2026-35638

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22

Description OpenClaw contains a privilege escalation issue in the Control UI. Unauthenticated sessions can retain self-declared privileged scopes without device identity verification. Attackers can exploit the trusted-proxy mechanism's device-less allow path to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.

Recommendations Update to version 2026.3.22 or later.