6.5

CVE-2026-35649

OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist

OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access control denials and restoring previously revoked permissions.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenClawOpenClaw SwPlatformnode.js Version < 2026.3.22
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.193
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
disclosure@vulncheck.com 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
disclosure@vulncheck.com 6.3 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-183 Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
Patch
https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93
Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-pw7h-9g6p-c378
Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-settings-reconciliation-bypass-via-empty-allowlist
Third Party Advisory