CVE-2026-35649 Overview
OpenClaw before version 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access control denials and restoring previously revoked permissions.
Critical Impact
Attackers can bypass access control denials and restore previously revoked permissions by exploiting improper handling of empty allowlists during settings reconciliation.
Affected Products
- OpenClaw versions prior to 2026.3.22
- OpenClaw for Node.js environments
Discovery Timeline
- 2026-04-10 - CVE-2026-35649 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35649
Vulnerability Analysis
This vulnerability (CWE-183: Permissive List of Allowed Inputs) occurs in OpenClaw's settings reconciliation logic. When administrators configure an explicit empty allowlist to implement a deny-all policy, the system incorrectly interprets this as an unset value rather than an intentional empty list. This design flaw causes the reconciliation process to silently restore previously revoked permissions, effectively bypassing the intended access control restrictions.
The attack is network-accessible and does not require user interaction, though it does require specific preconditions related to how allowlists are configured in the target environment. The vulnerability primarily impacts confidentiality and integrity by allowing unauthorized access to resources that were intended to be restricted.
Root Cause
The root cause lies in the settings reconciliation function's failure to distinguish between an explicitly empty allowlist (intended as a deny-all configuration) and an unset/undefined allowlist value. During the reconciliation process, the code treats both states identically, defaulting to restoring previous permission settings rather than enforcing the empty allowlist as a restrictive policy.
Attack Vector
The attack exploits the network-accessible settings reconciliation mechanism in OpenClaw. An attacker can trigger or wait for the reconciliation process to occur after an administrator has set an empty allowlist to revoke all permissions. When reconciliation runs, it interprets the empty allowlist as unset and restores the previous access control state, granting the attacker access to resources that should have been denied.
The vulnerability mechanism involves the following sequence:
- An administrator configures an explicit empty allowlist to implement a deny-all policy
- The settings reconciliation process runs (either automatically or triggered)
- The reconciliation logic incorrectly treats the empty allowlist as an unset value
- Previous permission settings are silently restored, bypassing the intended denial
For detailed technical analysis and the specific code changes, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35649
Indicators of Compromise
- Unexpected restoration of user permissions after administrative access revocation
- Settings reconciliation events that modify allowlist configurations without administrator action
- Access log entries showing users accessing resources after deny-all policies were implemented
- Audit trail discrepancies between configured allowlist settings and effective permissions
Detection Strategies
- Monitor settings reconciliation logs for unexpected permission state changes
- Implement alerting on any modification to allowlist configurations during reconciliation processes
- Compare effective permission states against configured allowlist policies to detect drift
- Review access control audit logs for users accessing resources after permission revocation events
Monitoring Recommendations
- Enable verbose logging for all settings reconciliation operations in OpenClaw
- Implement periodic audits comparing intended access control policies against actual effective permissions
- Configure alerts for any access events that occur after deny-all policies are applied
- Deploy SentinelOne Singularity Platform to monitor for anomalous access patterns and permission changes
How to Mitigate CVE-2026-35649
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.22 or later immediately
- Review current allowlist configurations to identify any empty allowlist deny-all policies
- Manually verify that intended access revocations are still in effect
- Audit access logs for any unauthorized access during the vulnerable period
Patch Information
OpenClaw has released security patches addressing this vulnerability. The fixes are available in the following commits:
For complete details, refer to the GitHub Security Advisory GHSA-pw7h-9g6p-c378.
Workarounds
- Avoid using empty allowlists for deny-all policies until patched; use explicit deny configurations instead
- Implement additional access control layers outside of OpenClaw allowlist mechanisms
- Disable automatic settings reconciliation processes until the patch can be applied
- Manually monitor and verify access control state after any configuration changes
# Upgrade OpenClaw to patched version
npm update openclaw@2026.3.22
# Verify installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
