CVE-2026-35655 Overview
OpenClaw before version 2026.3.22 contains an identity spoofing vulnerability (CWE-807: Reliance on Untrusted Inputs in a Security Decision) in the ACP permission resolution mechanism. The vulnerability occurs because the system trusts conflicting tool identity hints from both rawInput and metadata parameters without proper validation. Attackers can exploit this flaw by spoofing tool identities through rawInput parameters to suppress dangerous-tool prompting and bypass security restrictions.
Critical Impact
This vulnerability allows attackers to bypass security controls by spoofing tool identities, potentially enabling unauthorized actions without triggering security prompts or restrictions.
Affected Products
- OpenClaw versions prior to 2026.3.22
- OpenClaw for Node.js (all affected versions)
Discovery Timeline
- April 10, 2026 - CVE-2026-35655 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35655
Vulnerability Analysis
The identity spoofing vulnerability in OpenClaw stems from improper handling of tool identity resolution within the ACP (Access Control Policy) permission system. When processing tool invocations, the system accepts identity information from multiple sources—specifically the rawInput parameter and metadata fields—without adequately validating consistency between these sources or establishing a trusted chain of identity verification.
This design flaw allows an attacker with low-privilege access to craft malicious requests that include spoofed tool identity information in the rawInput parameter. When the ACP permission resolver processes these requests, it may trust the attacker-controlled identity hints over legitimate metadata, resulting in the suppression of dangerous-tool prompting mechanisms that would normally alert users or block potentially harmful operations.
The attack requires user interaction to be successful, as the exploitation path involves manipulating the interface or input mechanisms that process tool invocations.
Root Cause
The root cause is the system's reliance on untrusted inputs when making security decisions (CWE-807). The ACP permission resolution logic does not implement proper source verification or conflict resolution when tool identity information differs between rawInput parameters and authoritative metadata. This creates a trust boundary violation where attacker-controlled data influences security-critical identity decisions.
Attack Vector
The vulnerability is exploitable over the network by authenticated attackers with low privileges. The attack flow involves:
- The attacker identifies the rawInput parameter processing pathway in the ACP permission resolver
- The attacker crafts a request with manipulated tool identity hints in the rawInput field
- When processed, the spoofed identity causes the system to treat a dangerous tool as safe
- Security prompts and restrictions are bypassed, allowing unauthorized tool execution
The vulnerability allows integrity impact through the bypass of security controls, though confidentiality and availability are not directly affected. For detailed technical information, refer to the GitHub Security Advisory GHSA-74wf-h43j-vvmj and the VulnCheck Advisory.
Detection Methods for CVE-2026-35655
Indicators of Compromise
- Unusual tool invocations that bypass expected security prompts
- Discrepancies between rawInput tool identities and metadata in request logs
- Tool executions from unexpected or unauthorized sources
- Missing or suppressed dangerous-tool warning events in security logs
Detection Strategies
- Monitor ACP permission resolution logs for identity mismatches between rawInput and metadata fields
- Implement alerts for tool invocations that should trigger dangerous-tool prompts but do not
- Review authentication and authorization logs for patterns of tool identity manipulation
- Deploy application-layer monitoring to detect anomalous request patterns in tool invocation endpoints
Monitoring Recommendations
- Enable detailed logging of all ACP permission resolution decisions including identity source information
- Configure SIEM rules to correlate tool invocations with expected security prompt events
- Implement behavioral analysis to detect deviations from normal tool usage patterns
- Regularly audit tool invocation logs for evidence of identity spoofing attempts
How to Mitigate CVE-2026-35655
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.22 or later immediately
- Review recent tool invocation logs for signs of exploitation
- Audit ACP permission configurations for potential misuse
- Temporarily restrict access to sensitive tool invocations pending patch deployment
Patch Information
The OpenClaw maintainers have released patches to address this vulnerability. The fixes are available in the following commits:
For complete details, refer to the GitHub Security Advisory GHSA-74wf-h43j-vvmj.
Workarounds
- Implement additional validation layers to verify tool identity consistency before permission resolution
- Restrict rawInput parameter processing to trusted sources only
- Enable strict mode for dangerous-tool prompting that cannot be bypassed by identity hints
- Deploy Web Application Firewall (WAF) rules to filter suspicious tool identity parameters in requests
# Example: Update OpenClaw to patched version via npm
npm update openclaw@latest
# Verify installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
