← Voltar para CVEs
CVE-2026-35648
LOW3.7
Descricao
OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.
Detalhes CVE
Pontuacao CVSS v3.13.7
SeveridadeLOW
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado4/10/2026
Ultima modificacao4/13/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
openclaw:openclaw
Fraquezas (CWE)
CWE-367
Referencias
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/commit/ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2(disclosure@vulncheck.com)
https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/openclaw-policy-bypass-via-unvalidated-queued-node-actions(disclosure@vulncheck.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.