CVE-2026-35647 Overview
CVE-2026-35647 is an access control vulnerability affecting OpenClaw before version 2026.3.25. The vulnerability exists in the verification notice handling mechanism, which fails to properly enforce Direct Message (DM) policy checks before transmitting messages. This allows attackers to bypass access restrictions and send verification notices to users who have configured their accounts to block unsolicited direct messages from unpaired peers.
The flaw is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), indicating that the application provides an alternate communication pathway that circumvents intended access control mechanisms.
Critical Impact
Attackers can bypass DM policy restrictions to send verification notices to users outside allowed direct message policies, potentially enabling targeted harassment, phishing, or social engineering attacks against users who have explicitly opted out of receiving unsolicited messages.
Affected Products
- OpenClaw versions prior to 2026.3.25
- OpenClaw for Node.js (all versions before the patched release)
- Deployments utilizing OpenClaw's verification notice functionality
Discovery Timeline
- April 10, 2026 - CVE-2026-35647 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35647
Vulnerability Analysis
This access control vulnerability resides in OpenClaw's message handling subsystem, specifically within the verification notice transmission workflow. The application implements DM policies that allow users to restrict who can send them direct messages, typically limiting communications to paired or approved peers only.
However, verification notices follow a separate code path that does not invoke the same policy validation checks applied to standard direct messages. When a verification notice is generated and queued for delivery, the system bypasses the recipient's DM policy configuration entirely, treating verification notices as exempt from access control enforcement.
This architectural flaw enables any user—regardless of their relationship status with the recipient—to trigger verification notice delivery to targets who have explicitly configured restrictive DM policies. The vulnerability can be exploited remotely over the network without requiring any user interaction from the victim.
Root Cause
The root cause is insufficient access validation in the verification notice transmission function. The codebase separates verification notices from regular direct messages, and the developers failed to apply consistent policy checks across both message types. The verification notice handler assumes all such notices are legitimate and should be delivered without validating whether the sender is authorized to communicate with the recipient under their configured DM policies.
Attack Vector
Exploitation occurs over the network without requiring authentication privileges or user interaction. An attacker can craft verification notice requests targeting any user, regardless of that user's configured DM restrictions. The attack flow involves:
- The attacker identifies a target user who has restrictive DM policies enabled
- The attacker initiates a verification notice request through the OpenClaw API or interface
- The verification notice handler processes the request without checking the recipient's DM policy
- The notice is delivered to the target, bypassing their configured access controls
This bypass could be leveraged for targeted harassment campaigns, phishing attempts disguised as verification requests, or social engineering attacks against users who believed they had protected themselves from unsolicited contact.
The vulnerability mechanism exploits the lack of DM policy enforcement in the verification notice code path. When a verification notice is generated, the system should validate that the sender is permitted to contact the recipient according to the recipient's configured policies. Instead, the notice bypasses these checks entirely and is transmitted directly to the unpaired peer.
For detailed technical analysis, refer to the GitHub Security Advisory and the VulnCheck Advisory.
Detection Methods for CVE-2026-35647
Indicators of Compromise
- Unexpected verification notices received by users with restrictive DM policies configured
- Increased volume of verification notice generation from specific accounts or IP addresses
- User complaints about receiving unsolicited contact despite having DM restrictions enabled
- Anomalous patterns in verification notice logs showing delivery to unpaired peers
Detection Strategies
- Implement logging to correlate verification notice delivery with recipient DM policy configurations
- Monitor for high-frequency verification notice generation from individual accounts
- Deploy alerting rules for verification notices delivered to users with restrictive DM settings
- Audit access logs for patterns indicating systematic exploitation of the policy bypass
Monitoring Recommendations
- Enable detailed logging for all verification notice transmissions including sender-recipient relationship status
- Create dashboards tracking verification notice delivery rates segmented by recipient policy type
- Set up anomaly detection for verification notices crossing policy boundaries
- Review and correlate user abuse reports with verification notice delivery logs
How to Mitigate CVE-2026-35647
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.25 or later immediately
- Review logs for evidence of exploitation prior to patching
- Notify users who may have been affected by the policy bypass
- Consider temporarily disabling verification notices until the patch is applied
Patch Information
OpenClaw has released a fix in version 2026.3.25 that adds proper DM policy validation to the verification notice transmission path. The patch ensures that verification notices respect the same access control checks as standard direct messages.
The fix is available through the GitHub commit 2383daf5c4a4e08d9553e0e949552ad755ef9ec2. Organizations should update their OpenClaw deployments as soon as possible.
For additional context and patch details, refer to the GitHub Security Advisory GHSA-9wqx-g2cw-vc7r.
Workarounds
- Implement network-level filtering to block verification notice requests from untrusted sources as a temporary measure
- Add application-layer middleware to validate DM policies before verification notice delivery
- Consider rate-limiting verification notice generation per account until patching is complete
# Upgrade OpenClaw to patched version
npm update openclaw@2026.3.25
# Verify installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
