Description
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.
Published: 2026-04-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A flaw exists in OpenClaw's Control UI that permits any unauthenticated session to declare and retain privileged scopes, bypassing the required device identity checks. This vulnerability enables an attacker to continue operating with elevated permissions, potentially granting full control over the device’s functionality. The weakness aligns with CWE‑286, which involves the failure to properly authenticate, authorize, or validate user actions.

Affected Systems

OpenClaw versions earlier than 2026.3.22 are affected. The product is the OpenClaw platform, and no narrower version sub‑ranges are listed for this issue.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity level. EPSS data is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting it has not yet been widely exploited. Nonetheless, attackers can likely exploit the device‑less allow path in the trusted‑proxy mechanism through the Control UI, making it a significant risk for environments that expose this interface without proper authentication.

Generated by OpenCVE AI on April 9, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to 2026.3.22 or later
  • Restrict access to the Control UI to authenticated users only
  • Monitor logs for unauthorized scope declarations and elevated permissions

Generated by OpenCVE AI on April 9, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.
Title OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-286
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-10T13:58:19.688Z

Reserved: 2026-04-04T12:30:33.463Z

Link: CVE-2026-35638

cve-icon Vulnrichment

Updated: 2026-04-10T13:58:14.739Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:33.123

Modified: 2026-04-15T16:52:11.510

Link: CVE-2026-35638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:24Z

Weaknesses