CVE-2026-35674 Overview
CVE-2026-35674 is a scope bypass vulnerability [CWE-863] in OpenClaw versions before 2026.5.18. The flaw resides in the Gateway chat.send route, where scoped clients can deliver commands through inherited external routes. Attackers holding only the operator.write scope can issue privileged commands that should require operator.approvals or operator.admin scope. Successful exploitation enables unauthorized mutations to plugins, configuration, Model Context Protocol (MCP) settings, allowlists, and Agent Control Plane (ACP) state.
Critical Impact
Low-privileged authenticated clients can escalate to administrative control over OpenClaw plugin, configuration, MCP, allowlist, and ACP subsystems through the Gateway chat.send route.
Affected Products
- OpenClaw (Node.js) versions before 2026.5.18
- Deployments exposing the Gateway chat.send route to scoped clients
- Environments inheriting external routes into the Gateway
Discovery Timeline
- 2026-05-29 - CVE-2026-35674 published to the National Vulnerability Database (NVD)
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-35674
Vulnerability Analysis
The vulnerability is an authorization flaw [CWE-863] in the OpenClaw Gateway. OpenClaw assigns scopes such as operator.write, operator.approvals, and operator.admin to API clients. Each scope is intended to gate access to specific privileged operations. The Gateway's chat.send route inherits external routes without enforcing the scope checks defined on those downstream routes. As a result, the scope context of the caller is not re-evaluated against the privileged operations that the inherited routes expose.
An attacker authenticated with only the operator.write scope can deliver commands through chat.send that reach handlers normally protected by higher-privilege scopes. This allows the attacker to mutate plugin state, change configuration, alter MCP integrations, modify allowlists, and update Agent Control Plane resources. The impact covers full confidentiality, integrity, and availability of the OpenClaw control surface.
Root Cause
The root cause is missing or incorrect scope enforcement on routes inherited by the chat.send handler. The Gateway treats inherited routes as already authorized when invoked through chat.send, bypassing the per-route scope guard that exists on direct invocations. This is a classic broken authorization pattern where one trusted entry point reaches privileged code without re-checking caller permissions.
Attack Vector
Exploitation requires network access to the Gateway and a valid client credential with the operator.write scope. The attacker sends a crafted request to the chat.send route that targets an inherited external route mapped to a privileged operation. No user interaction is required. The Gateway accepts the command and forwards it to the privileged handler, which executes without verifying that the caller holds operator.approvals or operator.admin.
No verified public exploit code or proof-of-concept is currently available. Refer to the VulnCheck Security Advisory for additional technical detail.
Detection Methods for CVE-2026-35674
Indicators of Compromise
- Gateway access logs showing chat.send requests from clients holding only the operator.write scope that result in plugin, config, MCP, allowlist, or ACP changes
- Audit log entries recording mutations to privileged resources without a corresponding operator.approvals or operator.admin authorization event
- Unexpected modifications to allowlists or MCP server registrations originating from low-privileged service accounts
Detection Strategies
- Correlate chat.send invocations with downstream privileged route executions and alert when the caller scope does not match the target route's required scope
- Baseline normal chat.send traffic patterns per client identity and flag deviations such as new target routes or sudden administrative actions
- Review configuration change history for mutations that lack a matching approval record
Monitoring Recommendations
- Enable verbose Gateway audit logging for chat.send and all inherited external routes
- Forward Gateway and ACP audit logs to a centralized log platform for retention and correlation
- Alert on any plugin install, allowlist update, or MCP configuration change tied to a client whose scope set excludes operator.admin
How to Mitigate CVE-2026-35674
Immediate Actions Required
- Upgrade OpenClaw to version 2026.5.18 or later on every Gateway instance
- Audit all client credentials and revoke any unused tokens that hold operator.write scope
- Review recent plugin, config, MCP, allowlist, and ACP changes for unauthorized modifications and roll back where needed
Patch Information
The vendor fixed CVE-2026-35674 in OpenClaw 2026.5.18. Patch details and remediation guidance are published in the GitHub Security Advisory GHSA-hw9r-h9mr-4jff. Operators should apply the upgrade before re-exposing the Gateway to scoped clients.
Workarounds
- Restrict network access to the Gateway chat.send route to administrative clients until the patch is deployed
- Temporarily remove inherited external route mappings that expose privileged plugin, config, MCP, allowlist, or ACP operations
- Rotate operator credentials and tighten scope assignments so that no client holds operator.write without business need
# Configuration example: upgrade OpenClaw to the patched release
npm install openclaw@2026.5.18
# Verify installed version
npm ls openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
