Main Vulnerability Database Vulnerabilities #VU128758

Incorrect authorization in OpenClaw - CVE-2026-35637

Published: May 1, 2026

Vulnerability identifier: #VU128758

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35637

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to access content before authorization is completed.

The vulnerability exists due to incorrect authorization in the Tlon cite expansion handler when processing cite expansion in channels and direct messages. A remote user can trigger cite expansion before the final authorization decision to access content before authorization is completed.

How to mitigate CVE-2026-35637

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4
https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93

Incorrect authorization in OpenClaw - CVE-2026-35637

Detailed vulnerability description

How to mitigate CVE-2026-35637

Sources

Please verify you're human