CVE-2026-35646 — MEDIUM AI Security Vulnerability

Q: Is CVE-2026-35646 actively exploited?

No confirmed active exploitation of CVE-2026-35646 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-35646?

1. Patch: upgrade openclaw to version 2026.3.28 or later immediately. 2. Rotate all webhook secrets after patching—treat any previously issued tokens as potentially compromised. 3. Enforce minimum token entropy: use cryptographically random secrets of at least 32 bytes. 4. Detection: alert on bursts of authentication failures (>10 failed webhook requests in 60 seconds from a single source IP) against webhook endpoints. 5. Network controls: restrict webhook endpoint exposure to known source IPs via WAF or API gateway allow-lists where operationally feasible. 6. Audit: review webhook access logs back to the first affected version (<=2026.3.24) for anomalous authentication failure patterns.

Q: What systems are affected by CVE-2026-35646?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, event-driven AI pipelines, webhook-triggered automation, agentic tool orchestration.

Q: What is the CVSS score for CVE-2026-35646?

No CVSS score has been assigned yet.

CISO Take

The openclaw AI agent framework fails to throttle repeated unauthenticated guesses against webhook tokens, allowing any internet-accessible attacker to brute-force weak secrets through simple HTTP request loops. In AI agent deployments, a compromised webhook token is effectively a persistent trigger into the agent's full tool-invocation surface—data sources, integrations, and downstream pipelines all become reachable without any further escalation. This is not a theoretical risk: AIID #1368 documents active credential exfiltration via openclaw's skills ecosystem, showing the package is already a target of choice for adversaries pursuing AI agent compromise. Teams running openclaw should patch immediately to 2026.3.28, rotate all webhook secrets, and grep access logs for bursts of 401/403 responses against webhook endpoints.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Medium severity by CVSS designation, but contextually elevated in AI agent environments. Exploitation is trivial—no authentication, no special tooling, just unauthenticated HTTP requests. The blast radius scales with webhook token weakness and how many tools the compromised agent can invoke. The 67 other CVEs in the openclaw package signal a persistent security debt that increases the likelihood of compound exploitation. No public exploit or scanner template is available, and the vulnerability is not in CISA KEV, keeping the immediate threat lower than the structural exposure would suggest.

Attack Kill Chain

Reconnaissance

Adversary identifies a publicly reachable openclaw webhook endpoint via passive DNS enumeration, GitHub secret scanning, or Shodan queries for openclaw-specific response signatures.

AML.T0006

Credential Brute-Force

Adversary scripts a high-throughput loop of unauthenticated POST requests with varying token values; absent rate limiting, the endpoint processes every guess without throttling.

AML.T0106

Unauthorized Agent Trigger

With a valid webhook token obtained, adversary crafts legitimate-looking webhook calls to trigger the AI agent's configured workflows as an authenticated caller.

AML.T0053

Impact: Data Exfiltration or Pipeline Poisoning

Adversary invokes agent tools to exfiltrate data from connected databases or RAG backends, or injects malicious content into agent context to manipulate downstream pipeline behavior.

AML.T0086

Reconnaissance

Adversary identifies a publicly reachable openclaw webhook endpoint via passive DNS enumeration, GitHub secret scanning, or Shodan queries for openclaw-specific response signatures.

AML.T0006

Credential Brute-Force

Adversary scripts a high-throughput loop of unauthenticated POST requests with varying token values; absent rate limiting, the endpoint processes every guess without throttling.

AML.T0106

Unauthorized Agent Trigger

With a valid webhook token obtained, adversary crafts legitimate-looking webhook calls to trigger the AI agent's configured workflows as an authenticated caller.

AML.T0053

Impact: Data Exfiltration or Pipeline Poisoning

Adversary invokes agent tools to exfiltrate data from connected databases or RAG backends, or injects malicious content into agent context to manipulate downstream pipeline behavior.

AML.T0086

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	< 2026.3.28	`2026.3.28`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch: upgrade openclaw to version 2026.3.28 or later immediately.
Rotate all webhook secrets after patching—treat any previously issued tokens as potentially compromised.
Enforce minimum token entropy: use cryptographically random secrets of at least 32 bytes.
Detection: alert on bursts of authentication failures (>10 failed webhook requests in 60 seconds from a single source IP) against webhook endpoints.
Network controls: restrict webhook endpoint exposure to known source IPs via WAF or API gateway allow-lists where operationally feasible.
Audit: review webhook access logs back to the first affected version (<=2026.3.24) for anomalous authentication failure patterns.

Classification

Auth Bypass Data Extraction Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.1 - AI System Security Controls

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

AIID #1368 documents credential exfiltration via malicious openclaw skills, the same package affected by this CVE. A compromised webhook token from this brute-force vulnerability could serve as the initial access vector enabling the exact credential-harvesting attack pattern documented in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-35646?

The openclaw AI agent framework fails to throttle repeated unauthenticated guesses against webhook tokens, allowing any internet-accessible attacker to brute-force weak secrets through simple HTTP request loops. In AI agent deployments, a compromised webhook token is effectively a persistent trigger into the agent's full tool-invocation surface—data sources, integrations, and downstream pipelines all become reachable without any further escalation. This is not a theoretical risk: AIID #1368 documents active credential exfiltration via openclaw's skills ecosystem, showing the package is already a target of choice for adversaries pursuing AI agent compromise. Teams running openclaw should patch immediately to 2026.3.28, rotate all webhook secrets, and grep access logs for bursts of 401/403 responses against webhook endpoints.

Is CVE-2026-35646 actively exploited?

No confirmed active exploitation of CVE-2026-35646 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35646?

1. Patch: upgrade openclaw to version 2026.3.28 or later immediately. 2. Rotate all webhook secrets after patching—treat any previously issued tokens as potentially compromised. 3. Enforce minimum token entropy: use cryptographically random secrets of at least 32 bytes. 4. Detection: alert on bursts of authentication failures (>10 failed webhook requests in 60 seconds from a single source IP) against webhook endpoints. 5. Network controls: restrict webhook endpoint exposure to known source IPs via WAF or API gateway allow-lists where operationally feasible. 6. Audit: review webhook access logs back to the first affected version (<=2026.3.24) for anomalous authentication failure patterns.

What systems are affected by CVE-2026-35646?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, event-driven AI pipelines, webhook-triggered automation, agentic tool orchestration.

What is the CVSS score for CVE-2026-35646?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details Synology Chat webhook auth previously rejected invalid tokens without throttling repeated guesses, allowing brute-force attempts against weak webhook secrets. Commit `0b4d07337467f4d40a0cc1ced83d45ceaec0863c` adds repeated-guess throttling before auth failure responses. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `0b4d07337467f4d40a0cc1ced83d45ceaec0863c`. ## Fix Commit(s) - `0b4d07337467f4d40a0cc1ced83d45ceaec0863c`

Exploitation Scenario

An adversary targeting an organization's AI agent automation discovers an externally reachable openclaw webhook endpoint through passive DNS or GitHub secret scanning. Knowing the package lacks rate limiting prior to 2026.3.25, they script a high-speed HTTP brute-force loop against the webhook token parameter. Against a weak or short secret (common in dev environments), exhaustion occurs within minutes to hours. With a valid token in hand, the attacker crafts webhook calls that trigger the AI agent's configured workflows—invoking tools that access internal databases, RAG knowledge bases, or downstream APIs—effectively achieving persistent, authenticated-equivalent access to the entire agent-connected environment without ever compromising a user account.