CVE-2026-35663

High

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during…

VulnCheck·CWE-648·Published 2026-03-27

CVSS

8.8

EPSS

0.00

KEV

Exploits

cve.orgen

279 chars

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.

NVDen

279 chars

OSV.deven

796 chars

## Summary Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Backend-labeled reconnects could previously self-request broader scopes and bypass pairing, allowing non-admin operators to reconnect as `operator.admin`. Commit `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48` removes the backend self-pairing skip and requires pairing when requested scopes exceed the approved baseline. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48`. ## Fix Commit(s) - `d3d8e316bd819d3c7e34253aeb7eccb2510f5f48`

GHSAen

796 chars

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	NVD	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
3.1	Primary	cve.org	8.8	—	—	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0	Primary	cve.org	8.7	—	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
4.0	Secondary	GHSA	9.3	—	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
4.0	Secondary	NVD	8.7	—	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X