CVE-2026-35620 Overview
CVE-2026-35620 is a missing authorization vulnerability affecting OpenClaw versions prior to 2026.3.24. The vulnerability exists in the /send and /allowlist chat command handlers, which fail to properly enforce authorization requirements. The /send command allows non-owner command-authorized senders to modify owner-only session delivery policy settings, while the /allowlist mutating commands do not enforce the required operator.admin scope.
Attackers with operator.write scope can exploit this vulnerability to invoke /send on|off|inherit commands to persistently modify the current session's sendPolicy. Additionally, they can execute /allowlist add commands to manipulate config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.
Critical Impact
Unauthorized users with limited operator privileges can escalate their access to modify session delivery policies and allowlist configurations, potentially enabling further attacks or bypassing security controls.
Affected Products
- OpenClaw versions prior to 2026.3.24
- OpenClaw for Node.js (all affected versions)
Discovery Timeline
- April 10, 2026 - CVE-2026-35620 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35620
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a configuration and design flaw where security constraints are absent from critical functionality. The core issue stems from the chat command handlers in OpenClaw failing to validate that the requesting user has the appropriate authorization scope before executing privileged operations.
The /send command handler permits any user with command authorization to modify session-level delivery policy settings that should be restricted to owner accounts only. This represents a broken access control scenario where privilege boundaries are not properly enforced at the application layer.
Similarly, the /allowlist command's mutating operations (add/remove) fail to verify that the caller possesses operator.admin scope. Instead, users with only operator.write scope can manipulate allowlist entries, which affects both the configuration-backed allowFrom entries and pairing-store allowlist records.
Root Cause
The root cause is the absence of authorization checks in the chat command handlers. The application assumes that if a user can invoke a command, they are authorized to perform all operations within that command's scope. This design flaw fails to implement proper scope validation for sensitive operations that modify session policies and allowlist configurations.
The commands-registry configuration defines the commands but does not enforce the required permission scopes at execution time, allowing lower-privileged operators to access functionality intended for administrators only.
Attack Vector
The attack vector is network-based and requires an authenticated attacker with operator.write scope. The attack can be executed through the following methods:
Session Policy Manipulation: An attacker invokes /send on, /send off, or /send inherit commands to persistently change the session's sendPolicy, affecting message delivery behavior.
Allowlist Modification: An attacker executes /allowlist add commands to insert unauthorized entries into the allowlist, potentially granting access to malicious senders or removing legitimate restrictions.
The following code shows the security patch that adds the /allowlist command with proper scope handling:
description: "Show current status.",
textAlias: "/status",
}),
+ defineChatCommand({
+ key: "allowlist",
+ description: "List/add/remove allowlist entries.",
+ textAlias: "/allowlist",
+ acceptsArgs: true,
+ scope: "text",
+ }),
defineChatCommand({
key: "context",
nativeName: "context",
Source: GitHub Commit 555b257
The fix also includes proper import of the allowlist command handler:
handleStatusCommand,
handleWhoamiCommand,
} from "./commands-info.js";
+import { handleAllowlistCommand } from "./commands-allowlist.js";
import { handleSubagentsCommand } from "./commands-subagents.js";
import {
handleAbortTrigger,
Source: GitHub Commit 555b257
Detection Methods for CVE-2026-35620
Indicators of Compromise
- Unexpected changes to session sendPolicy settings from non-owner accounts
- Unauthorized modifications to allowlist entries in configuration or pairing-store
- Audit logs showing /send or /allowlist commands executed by users with only operator.write scope
- Anomalous entries in allowFrom configurations that were not added by administrators
Detection Strategies
- Monitor chat command logs for /send on|off|inherit commands from non-owner accounts
- Implement alerting on /allowlist add or /allowlist remove operations from users lacking operator.admin scope
- Review session store files for unexpected sendPolicy modifications
- Audit configuration changes to identify unauthorized allowlist entries
Monitoring Recommendations
- Enable verbose logging for all chat command executions to capture scope and user context
- Implement file integrity monitoring on session store and configuration files
- Create alerts for privilege escalation patterns where operator.write users attempt admin operations
- Regularly audit allowlist entries and session policies for unauthorized changes
How to Mitigate CVE-2026-35620
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.24 or later immediately
- Review all current session sendPolicy configurations for unauthorized modifications
- Audit allowlist entries and remove any suspicious or unauthorized additions
- Temporarily restrict operator.write scope assignments until the patch is applied
Patch Information
The vendor has released security patches to address this vulnerability. The fixes are available in the following commits:
- Commit 555b2578 - Adds proper /allowlist command implementation
- Commit ccfeecb6 - Additional authorization fixes
- Commit ea018a68 - Reply pipeline refactoring with security improvements
Additional details are available in the GitHub Security Advisory GHSA-39mp-545q-w789 and GHSA-vqvg-86cc-cg83.
Workarounds
- Implement network-level access controls to restrict who can send chat commands
- Review and minimize the number of users with operator.write scope
- Deploy application-layer firewall rules to block /send and /allowlist commands from untrusted sources
- Enable comprehensive audit logging to detect and respond to exploitation attempts
# Review current OpenClaw version
npm list openclaw
# Upgrade to patched version
npm update openclaw@2026.3.24
# Verify installation
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
