CVE-2026-35655: OpenClaw identity spoofing bypasses

CISO Take

OpenClaw before 2026.3.22 contains a flaw in its ACP permission resolver that trusts tool identity claims from user-controlled rawInput over authoritative metadata, allowing a low-privileged network attacker (with user interaction) to spoof a benign tool identity and suppress the dangerous-tool confirmation prompts that guard high-risk agent actions. The CVSS integrity impact is rated High (score 5.7), and with attack complexity set to Low, this is exploitable by anyone familiar with the rawInput parameter structure — though no public exploit or CISA KEV listing exists yet. The package carries 395 prior CVEs in the same ecosystem, suggesting a pattern of security debt that warrants broader supply chain scrutiny. Upgrade to OpenClaw ≥ 2026.3.22 immediately; if patching is delayed, restrict ACP access to trusted internal networks and audit agent tool execution logs for unexpected invocations of privileged or write-capable tools.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium risk overall, elevated in agentic contexts. The CVSS base score is 5.7 (Medium), with High integrity impact offset by required user interaction and low privileges. No public exploit code, no Nuclei scanner template, and no CISA KEV listing reduce immediate urgency. However, attack complexity is Low and the vulnerability targets a safety guardrail — dangerous-tool prompting — which is a critical trust boundary in human-in-the-loop agent systems. Organizations running OpenClaw agents with access to privileged tools (file I/O, API calls, code execution) should treat this as higher priority than the base score suggests, as the safety bypass is the primary mechanism protecting against agent-mediated privilege escalation.

How does the attack unfold?

Malicious Input Crafting

Attacker constructs a request with rawInput parameters containing tool identity hints that claim to represent a pre-approved benign tool, conflicting with the actual dangerous tool targeted for execution.

AML.T0043.003

Permission Resolver Exploitation

OpenClaw's ACP permission resolver evaluates conflicting identity signals and, per CWE-807, trusts the attacker-controlled rawInput hint over authoritative tool metadata, misclassifying the dangerous tool as safe.

AML.T0107

Safety Guardrail Bypass

The dangerous-tool confirmation prompt is suppressed based on the falsified identity classification, silently removing the human-in-the-loop checkpoint without any user notification.

AML.T0074

Unauthorized Tool Execution

The agent executes the high-risk tool — potentially writing files, invoking external APIs, or running arbitrary code — without user awareness or approval, completing the privilege escalation through the agent layer.

AML.T0053

Malicious Input Crafting

Attacker constructs a request with rawInput parameters containing tool identity hints that claim to represent a pre-approved benign tool, conflicting with the actual dangerous tool targeted for execution.

AML.T0043.003

Permission Resolver Exploitation

OpenClaw's ACP permission resolver evaluates conflicting identity signals and, per CWE-807, trusts the attacker-controlled rawInput hint over authoritative tool metadata, misclassifying the dangerous tool as safe.

AML.T0107

Safety Guardrail Bypass

The dangerous-tool confirmation prompt is suppressed based on the falsified identity classification, silently removing the human-in-the-loop checkpoint without any user notification.

AML.T0074

Unauthorized Tool Execution

The agent executes the high-risk tool — potentially writing files, invoking external APIs, or running arbitrary code — without user awareness or approval, completing the privilege escalation through the agent layer.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

5.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Unchanged

C None

I High

A None

What should I do?

5 steps

Patch immediately: upgrade to OpenClaw ≥ 2026.3.22 (patches committed at 630f147 and e4c6172).
If immediate patching is not feasible, restrict the ACP interface to trusted internal networks and enforce authenticated-only access.
Audit agent tool execution logs for invocations of high-privilege or write-capable tools where the tool identity in rawInput does not match authoritative metadata records.
Review all custom OpenClaw integrations that pass rawInput to the permission resolver — ensure tool identity is validated against server-side metadata, not user-supplied hints.
As a defense-in-depth measure, add a secondary confirmation layer at the application level for any tool classified as dangerous while the patch is being deployed.

How is it classified?

Auth Bypass Code Execution Agent Plugin AML.T0053 - AI Agent Tool Invocation AML.T0074 - Masquerading AML.T0080 - AI Agent Context Poisoning AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.5 - AI system risk treatment

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to respond to and recover from AI risks

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35655?

OpenClaw before 2026.3.22 contains a flaw in its ACP permission resolver that trusts tool identity claims from user-controlled rawInput over authoritative metadata, allowing a low-privileged network attacker (with user interaction) to spoof a benign tool identity and suppress the dangerous-tool confirmation prompts that guard high-risk agent actions. The CVSS integrity impact is rated High (score 5.7), and with attack complexity set to Low, this is exploitable by anyone familiar with the rawInput parameter structure — though no public exploit or CISA KEV listing exists yet. The package carries 395 prior CVEs in the same ecosystem, suggesting a pattern of security debt that warrants broader supply chain scrutiny. Upgrade to OpenClaw ≥ 2026.3.22 immediately; if patching is delayed, restrict ACP access to trusted internal networks and audit agent tool execution logs for unexpected invocations of privileged or write-capable tools.

Is CVE-2026-35655 actively exploited?

No confirmed active exploitation of CVE-2026-35655 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35655?

1. Patch immediately: upgrade to OpenClaw ≥ 2026.3.22 (patches committed at 630f147 and e4c6172). 2. If immediate patching is not feasible, restrict the ACP interface to trusted internal networks and enforce authenticated-only access. 3. Audit agent tool execution logs for invocations of high-privilege or write-capable tools where the tool identity in rawInput does not match authoritative metadata records. 4. Review all custom OpenClaw integrations that pass rawInput to the permission resolver — ensure tool identity is validated against server-side metadata, not user-supplied hints. 5. As a defense-in-depth measure, add a secondary confirmation layer at the application level for any tool classified as dangerous while the patch is being deployed.

What systems are affected by CVE-2026-35655?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Human-in-the-loop agent systems, Multi-agent orchestration pipelines.

What is the CVSS score for CVE-2026-35655?

CVE-2026-35655 has a CVSS v3.1 base score of 5.7 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksHuman-in-the-loop agent systemsMulti-agent orchestration pipelines

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation

AML.T0074 Masquerading

AML.T0080 AI Agent Context Poisoning

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution that trusts conflicting tool identity hints from rawInput and metadata. Attackers can spoof tool identities through rawInput parameters to suppress dangerous-tool prompting and bypass security restrictions.

Exploitation Scenario

A threat actor with a valid low-privilege account in an organization using OpenClaw crafts a request where the rawInput parameter includes tool identity hints claiming to be a pre-approved benign tool — for example, a read-only data fetcher — while the ACP actually resolves execution to a high-risk write or execute-capable tool. The permission resolver, trusting rawInput over authoritative metadata per CWE-807, classifies the operation as safe and suppresses the dangerous-tool confirmation dialog. The user never sees a warning; the agent silently executes the privileged operation — writing files, calling external APIs, modifying databases, or running code — under the guise of a routine trusted tool invocation, leaving no user-visible audit trail of the safety bypass.

Weaknesses (CWE)

CWE-807 Reliance on Untrusted Inputs in a Security Decision

CWE-807 — Reliance on Untrusted Inputs in a Security Decision: The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

[Architecture and Design] Store state information and sensitive data on the server side only. Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions. If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328).
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. With a stateless protocol such as HTTP, use a framework that maintains the state for you. Examples include ASP.NET View State [REF-756] and the OWASP ESAPI Session Management feature [REF-45]. Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security.

Source: MITRE CWE corpus.