CVE-2026-35624

MEDIUM

OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk

Title source: cna

Description

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.

References (4)

Scores

CVSS v3 4.2
EPSS 0.0006
EPSS Percentile 18.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-807
Status published
Products (4)
npm/openclaw 0 - 2026.3.22npm
OpenClaw/OpenClaw < 2026.3.22
openclaw/openclaw < 2026.3.22
OpenClaw/OpenClaw 2026.3.22
Published Apr 09, 2026
Tracked Since Apr 10, 2026