CVE-2026-35648 Overview
CVE-2026-35648 is a policy bypass vulnerability in OpenClaw before version 2026.3.22 that stems from a Time-of-Check Time-of-Use (TOCTOU) race condition (CWE-367). The vulnerability exists because queued node actions are not revalidated against the current command policy when they are delivered. This allows attackers to exploit stale allowlists or declarations that survive policy tightening, ultimately enabling the execution of unauthorized commands.
Critical Impact
Attackers can bypass security policies by exploiting stale command allowlists, potentially executing unauthorized commands after policy restrictions have been tightened.
Affected Products
- OpenClaw versions prior to 2026.3.22
- OpenClaw Node.js implementations using the plugin-sdk command-auth module
- Systems utilizing the resolveCommandAuthorization function for command gating
Discovery Timeline
- 2026-04-10 - CVE-2026-35648 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35648
Vulnerability Analysis
This vulnerability is classified as a Time-of-Check Time-of-Use (TOCTOU) race condition. In the affected versions of OpenClaw, when node actions are queued for execution, the command authorization is validated at queue time. However, when those queued actions are later delivered and executed, the system fails to revalidate them against the current command policy. This creates a window where policy changes (specifically, policy tightening that restricts previously allowed commands) are not applied to already-queued actions.
The root cause lies in the command-auth.ts module, specifically in how the resolveCommandAuthorization function interacts with the node command policy system. The security patch significantly expanded this module (moving from line 303 to line 440 in the source), indicating substantial changes to the authorization validation logic.
Root Cause
The fundamental issue is the separation between authorization validation timing and action execution timing. When commands are queued through the gateway server methods for nodes, the authorization check occurs only once at queue time. The isNodeCommandAllowed and resolveNodeCommandAllowlist functions from the node-command-policy module were not being invoked at delivery time, allowing stale authorizations to persist.
Attack Vector
An attacker with low-privileged access to the system could exploit this vulnerability through the following mechanism:
- Obtain authorization for a command while it is on the allowlist
- Queue an action that utilizes this authorized command
- Wait for (or trigger) a policy tightening that removes the command from the allowlist
- The queued action executes with the original (now-invalid) authorization
The attack requires network access and authenticated privileges, though the complexity is high due to the timing requirements and the need for specific environmental conditions.
// Security patch in src/gateway/server-methods/nodes.ts
// Nodes: recheck queued actions before delivery (#46815)
import { isNodeCommandAllowed, resolveNodeCommandAllowlist } from "../node-command-policy.js";
import { sanitizeNodeInvokeParamsForForwarding } from "../node-invoke-sanitize.js";
import {
+ type ConnectParams,
ErrorCodes,
errorShape,
validateNodeDescribeParams,
Source: GitHub Commit Fix
The patch introduces additional validation by importing ConnectParams and ensures that node commands are rechecked against current policy before delivery, closing the TOCTOU window.
Detection Methods for CVE-2026-35648
Indicators of Compromise
- Unexpected command executions occurring after policy restrictions have been applied
- Log entries showing commands executed by users who should no longer have authorization
- Discrepancies between current allowlist configurations and actual command execution patterns
- Queued actions being processed with outdated authorization contexts
Detection Strategies
- Monitor for command executions that occur outside of current policy allowlists
- Implement logging that captures both queue-time and execution-time authorization states
- Review audit logs for commands executed after recent policy tightening events
- Deploy integrity checks comparing expected vs. actual command authorization flows
Monitoring Recommendations
- Enable verbose logging on the command-auth.ts module to track authorization decisions
- Set up alerts for command executions immediately following policy configuration changes
- Monitor the gateway server methods for unusual patterns in node action queuing and delivery
- Implement time-based correlation between policy changes and command execution events
How to Mitigate CVE-2026-35648
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.22 or later immediately
- Review recent command execution logs for any unauthorized actions that may have occurred
- Audit current command policies and ensure they reflect intended access controls
- Consider temporarily suspending queued actions during policy transition periods
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.3.22 and later. The security fixes were implemented across multiple commits that enhance the authorization validation process:
- GitHub Commit Fix - Implements revalidation of queued actions before delivery
- GitHub Commit Update - Build preparation for 2026.3.23-2
For complete details, refer to the GitHub Security Advisory (GHSA-wj55-88gf-x564).
Workarounds
- Implement a queue flush procedure that clears all pending actions when policy changes are made
- Add an additional authorization check layer at the application level before command execution
- Temporarily disable command queuing functionality until the patch can be applied
- Restrict network access to the affected nodes to trusted sources only during the mitigation period
# Configuration example - Clear queued actions after policy update
openclaw-ctl policy apply --config new-policy.yaml
openclaw-ctl queue flush --all-nodes
openclaw-ctl queue verify --policy-sync
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
