CVE-2026-35649

MEDIUM

OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist

Title source: cna

Description

OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access control denials and restoring previously revoked permissions.

References (4)

Core 4

Core References

Third Party Advisory third-party-advisory

GitHub Security Advisory (GHSA-pw7h-9g6p-c378)

https://github.com/openclaw/openclaw/security/advisories/GHSA-pw7h-9g6p-c378

Patch patch

Patch Commit #1

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87

View Patch ZIP pw:eip

Patch patch

Patch Commit #2

https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist

https://www.vulncheck.com/advisories/openclaw-settings-reconciliation-bypass-via-empty-allowlist

Scores

CVSS v3 6.5

EPSS 0.0028

EPSS Percentile 19.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-183

Status published

Products (4)

npm/openclaw 0 - 2026.3.22npm

OpenClaw/OpenClaw < 2026.3.22

openclaw/openclaw < 2026.3.22

OpenClaw/OpenClaw 2026.3.22

Published Apr 10, 2026

Tracked Since Apr 10, 2026