Main Vulnerability Database Vulnerabilities #VU128733

Improper Authorization in OpenClaw - CVE-2026-35620

Published: May 1, 2026

Vulnerability identifier: #VU128733

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35620

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to modify the current session delivery policy.

The vulnerability exists due to improper authorization in the handleSendPolicyCommand function when processing the owner-only /send on|off|inherit command. A remote user can send a /send command to modify the current session delivery policy.

The issue affects senders who are authorized to run commands but are not treated as the owner, and the change is persisted for the current session.

How to mitigate CVE-2026-35620

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789

Improper Authorization in OpenClaw - CVE-2026-35620

Detailed vulnerability description

How to mitigate CVE-2026-35620

Sources

Please verify you're human