Description
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted.
Published: 2026-04-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an attacker to bypass the group reaction access control that normally requires a mention. By sending reaction events to a mention‑gated group, the attacker can trigger the creation of agent‑visible system events that are normally restricted. This creates an unauthorized execution path wherein restricted system actions become visible to the attacker. The weakness is an authorization bypass (CWE‑288).

Affected Systems

The affected product is OpenClaw. Versions earlier than 2026.3.25 contain the flaw. No specific sub‑version list is provided, so all releases prior to 2026.3.25 are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity risk. EPSS data is not available, but the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw via routine use of group reactions, which may be done from any member of a group that uses mention gating, so the attack vector is likely application‑level and remote. Because the flaw permits unauthorized exposure of system events, it can lead to information disclosure or potential disruption of services.

Generated by OpenCVE AI on April 9, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenClaw 2026.3.25 or newer update to fix the authorization bypass.
  • Verify that reactions are correctly restricted in mention‑gated groups.
  • Monitor group activity for unexpected reactions or system events.
  • If updating is delayed, restrict or disable reactions in mention‑gated groups until a patch is available.

Generated by OpenCVE AI on April 9, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted.
Title OpenClaw < 2026.3.25 - Authorization Bypass in Group Reactions via requireMention Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-288
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T18:08:36.617Z

Reserved: 2026-04-04T12:30:33.464Z

Link: CVE-2026-35642

cve-icon Vulnrichment

Updated: 2026-04-13T18:08:18.935Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:33.697

Modified: 2026-04-15T19:39:31.050

Link: CVE-2026-35642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:21Z

Weaknesses