CVE-2026-35674: OpenClaw Gateway Scope Bypass Privilege Escalation
OpenClaw versions before 2026.5.18 contain a privilege escalation flaw in their chat messaging system. An attacker with basic operator permissions can bypass security controls meant to restrict high-risk actions—such as modifying plugins, configurations, or access policies—by sending commands through internal message routes. This allows someone with limited access to act as if they have full administrative privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-863
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-35674 is a scope bypass vulnerability in OpenClaw's Gateway chat.send route. The flaw stems from insufficient authorization checks on the inherited external routes used by the chat messaging system. Attackers possessing operator.write scope can craft messages that traverse these routes to execute operations normally guarded by operator.approvals and operator.admin scope requirements. The vulnerability permits unauthorized mutations to plugins, configurations, MCP (Model Context Protocol) settings, allowlists, and ACP (Access Control Policy) definitions. The root cause maps to CWE-863 (Incorrect Authorization), indicating a logic error in how scope inheritance and route access are validated.
Business impact
This vulnerability creates a path for insiders or compromised low-privilege accounts to gain effective administrative control without detection or approval workflows. An attacker could modify plugin behavior to exfiltrate data, alter security configurations to disable protections, or inject malicious MCP definitions to compromise downstream operations. Organizations relying on role-based access controls and approval gates for compliance or operational security will see those controls circumvented. The high CVSS score (8.8) reflects the combination of network accessibility, low complexity, and high impact across confidentiality, integrity, and availability.
Affected systems
OpenClaw versions prior to 2026.5.18 are affected. Organizations should verify their deployed version by checking the OpenClaw version identifier in their deployment. All instances with network-accessible Gateway endpoints and users holding operator.write scope are at risk, regardless of cluster size or configuration variant.
Exploitability
Exploitation requires network access to the OpenClaw Gateway (implied by the CVSS vector AV:N) and an existing account with at minimum operator.write scope permissions. No user interaction is needed; the attacker sends crafted chat messages programmatically. Exploitation difficulty is low (AC:L), and the attack chain is straightforward once the attacker understands the route inheritance mechanics. No public exploit code has been designated for KEV tracking, but the simplicity and deterministic nature of the flaw make it likely to be weaponized quickly if not patched.
Remediation
Upgrade OpenClaw to version 2026.5.18 or later. This release includes authorization logic corrections to validate scope requirements on inherited external routes before permitting command execution. Organizations unable to upgrade immediately should review audit logs for suspicious chat.send messages originating from operator.write-scoped users and consider restricting network access to the Gateway endpoint or temporarily elevating monitoring on high-risk operations (plugin, config, MCP, allowlist, and ACP mutations).
Patch guidance
Apply OpenClaw 2026.5.18 or later as soon as possible. Verify the patch version in your deployment by checking the version reported by the OpenClaw API or administrative console. Test the upgrade in a non-production environment first to confirm compatibility with custom plugins and configurations. Monitor logs during and after the upgrade for any authorization-related warnings or errors. Rollback procedures should be documented before patching production systems.
Detection guidance
Look for chat.send API calls that originate from accounts with operator.write scope and result in mutations to plugins, configs, MCP settings, allowlists, or ACP policies. Audit logs should record the scope of the calling principal and the target resource. Alert on discrepancies where an operator.write-scoped caller successfully modifies resources that should require operator.approvals or operator.admin scope. Correlate chat message timing with unexpected configuration changes. Query for API responses indicating authorization success (HTTP 200/201) on privileged endpoints when initiated by low-scope principals.
Why prioritize this
HIGH priority. The combination of low exploitation barriers (low AC, network-reachable, only operator.write required), absence of user interaction, and high impact (full confidentiality, integrity, and availability compromise) makes this a critical risk. Organizations should patch within 48–72 hours if feasible. The vulnerability directly undermines access control and approval workflows, which are often centerpieces of security policy and compliance posture.
Risk score, explained
CVSS 8.8 (HIGH) reflects: AV:N (network-accessible Gateway), AC:L (no special conditions required to craft messages), PR:L (attacker must hold operator.write role, but this is typically not the most privileged role), UI:N (no social engineering or user prompt needed), S:U (impact confined to the affected system), C:H (confidentiality compromised via unauthorized mutation access), I:H (integrity compromised via unauthorized config/policy changes), A:H (availability compromised if MCP or allowlist changes disrupt service). The flaw is a textbook privilege escalation and merits rapid remediation.
Frequently asked questions
Can an attacker with only read permissions exploit this?
No. The vulnerability requires at least operator.write scope. An attacker with read-only permissions cannot send commands via chat.send that would trigger the bypass.
Does patching require downtime?
Typically no. OpenClaw upgrades are designed to be rolling updates, allowing traffic to continue during the patch rollout. However, test in a staging environment and follow your vendor's specific upgrade procedure.
If we restrict network access to the Gateway, are we protected until we patch?
Restricting network access significantly reduces risk, but it is not a substitute for patching. If the Gateway must be accessible, you should implement additional monitoring and consider temporarily reducing permissions for accounts with operator.write scope until the patch is applied.
What should we do if we suspect exploitation has already occurred?
Immediately review audit logs for suspicious chat.send calls and check the audit trail of plugin, config, MCP, allowlist, and ACP mutations. Look for changes made by low-scope principals that should have required approval. Isolate affected configurations, restore from clean backups if necessary, and rotate credentials of accounts with operator.write scope. Contact OpenClaw support and consider engaging incident response if unauthorized changes are confirmed.
This analysis is provided for informational and educational purposes. The information herein is based on publicly available data and vendor advisories as of the publication date. Security posture, risk tolerance, and remediation timelines vary by organization; tailor your response based on your environment and risk profile. Always verify patch compatibility in non-production systems before deploying to production. For official vendor guidance, consult the OpenClaw security advisory and release notes. SEC.co makes no warranty regarding the completeness or accuracy of third-party vulnerability data and recommends independent verification of all findings. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-32906MEDIUMOpenClaw Privilege Escalation in Slack Plugin Approvals
- CVE-2026-34507MEDIUMOpenClaw QQBot Admin Command Policy Bypass (CVSS 5.4)
- CVE-2026-35673MEDIUMOpenClaw SSRF Policy Bypass in Debug and Export Routes
- CVE-2025-14774HIGHABB T-MAC Plus Denial-of-Service Vulnerability (CVSS 7.4)
- CVE-2025-32348HIGHAndroid Local Privilege Escalation via Missing Permission Check
- CVE-2026-3514HIGHPrefect 3.6.19 Authentication Bypass via Health Check Exemptions
- CVE-2026-35482HIGHalf.io Sandbox Escape Allows Admin Command Execution
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass