Description
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling unauthorized actions.
Published: 2026-04-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized action execution via callback dispatch
Action: Immediate Patch
AI Analysis

Impact

OpenClaw releases prior to 2026.3.22 contain an authorization bypass flaw in the interactive callback dispatch mechanism. The flaw, classified as CWE-696 (Incorrect Authorization), allows senders that are not on the allowed list to trigger callbacks before the application’s normal security validation completes, enabling them to invoke arbitrary action handlers. This can lead to execution of unauthorized actions that the system should not permit, compromising the integrity of the application and potentially exposing sensitive data or altering system state.

Affected Systems

The vulnerability affects the OpenClaw product from the OpenClaw organization. All versions earlier than 2026.3.22 are vulnerable and should be verified for compliance with this requirement.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high risk level. Since no EPSS score is available and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, the likelihood of widespread exploitation remains uncertain. Based on the description, the likely attack vector is remote, where an attacker can send crafted callback requests to trigger the authorization bypass before standard validation is performed. The impact would be the unauthorized execution of privileged actions, potentially leading to data exposure or system compromise.

Generated by OpenCVE AI on April 10, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.3.22 or later to eliminate the callback dispatch bypass.
  • Confirm that the updated release enforces strict sender validation and only processes callbacks from the allowlist.
  • If an upgrade cannot be performed immediately, block incoming callbacks from non‑allowlisted sources and monitor for anomalous activity.
  • Log and review callback activity for evidence of unauthorized action execution and apply temporary controls such as network segmentation or rate limiting while the patch is deployed.

Generated by OpenCVE AI on April 10, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8883-9w57-vwv6 OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions
History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling unauthorized actions.
Title OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-696
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-14T14:55:03.900Z

Reserved: 2026-04-04T12:31:23.534Z

Link: CVE-2026-35652

cve-icon Vulnrichment

Updated: 2026-04-14T14:54:58.449Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:05.987

Modified: 2026-04-13T21:06:31.013

Link: CVE-2026-35652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:52Z

Weaknesses