CVE-2026-35657 — MEDIUM AI Security Vulnerability

Q: Is CVE-2026-35657 actively exploited?

No confirmed active exploitation of CVE-2026-35657 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-35657?

1. Upgrade openclaw to 2026.3.25 (fix commit 1c45123231516fa50f8cf8522ba5ff2fb2ca7aea enforces operator scope declarations for HTTP callers). 2. Interim workaround: block or ACL the /sessions/:sessionKey/history HTTP endpoint at the API gateway or reverse proxy, requiring explicit operator.read scope verification upstream before requests reach the application. 3. Audit HTTP access logs for requests to /sessions/*/history from tokens without operator.read scope — treat any confirmed hits as potential data exposure incidents requiring notification review. 4. Rotate bearer tokens for deployments with an unknown exposure window. 5. Given 63 CVEs in this package, evaluate whether openclaw is appropriate for production use without a broader security review or migration plan.

Q: What systems are affected by CVE-2026-35657?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, API gateways, agentic pipelines.

Q: What is the CVSS score for CVE-2026-35657?

No CVSS score has been assigned yet.

CISO Take

openclaw's HTTP session history endpoint (/sessions/:sessionKey/history) authenticated bearer tokens but silently skipped the operator.read scope check enforced on the WebSocket path, meaning any valid token holder could read session histories regardless of their assigned permissions. In AI agent deployments, session histories routinely contain conversation transcripts, tool invocation outputs, and sensitive operational data — the exposure radius scales directly with what your agents handle. With 63 CVEs already documented in this package and an active ecosystem abuse incident (AIID #1368) showing malicious openclaw skills exfiltrating credentials from the same platform, this package deserves elevated scrutiny beyond this single issue. Patch immediately to 2026.3.25; if patching is blocked, restrict HTTP access to /sessions/*/history at the API gateway for tokens lacking operator.read scope, and audit existing HTTP access logs for unauthorized history reads.

Sources: GitHub Advisory ATLAS NVD

Risk Assessment

Medium severity but elevated in AI agent contexts. No public exploit, no CVSS score, not in CISA KEV. Exploitability is trivial — any holder of a valid bearer token can reach the endpoint without specialized tooling or AI/ML knowledge. The real risk multiplier is the data sensitivity typical of agent session histories: production deployments frequently process PII, internal tool outputs, and credentials through agent workflows, all of which surface in session history. The 63 CVEs in this package and the AIID #1368 credential-theft incident suggest a systemic security posture problem beyond this specific authorization gap.

Attack Kill Chain

Initial Access

Adversary obtains a valid openclaw bearer token with limited scope via credential theft, a compromised service integration, or an insider account with write-only permissions.

AML.T0091.000

Authorization Bypass

Adversary sends HTTP GET requests to /sessions/:sessionKey/history; the server validates the token signature but skips the operator.read scope check, returning session data the token should not be authorized to access.

AML.T0049

Data Harvesting

Adversary enumerates session histories across operators, extracting full conversation transcripts, tool call outputs, and agent decision chains from the AI platform.

AML.T0085

Exfiltration

Harvested session history data — potentially containing PII, internal system details, or credentials processed through agent workflows — is exfiltrated to adversary-controlled infrastructure.

AML.T0025

Initial Access

Adversary obtains a valid openclaw bearer token with limited scope via credential theft, a compromised service integration, or an insider account with write-only permissions.

AML.T0091.000

Authorization Bypass

Adversary sends HTTP GET requests to /sessions/:sessionKey/history; the server validates the token signature but skips the operator.read scope check, returning session data the token should not be authorized to access.

AML.T0049

Data Harvesting

Adversary enumerates session histories across operators, extracting full conversation transcripts, tool call outputs, and agent decision chains from the AI platform.

AML.T0085

Exfiltration

Harvested session history data — potentially containing PII, internal system details, or credentials processed through agent workflows — is exfiltrated to adversary-controlled infrastructure.

AML.T0025

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.3.24	`2026.3.25`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade openclaw to 2026.3.25 (fix commit 1c45123231516fa50f8cf8522ba5ff2fb2ca7aea enforces operator scope declarations for HTTP callers).
Interim workaround: block or ACL the /sessions/:sessionKey/history HTTP endpoint at the API gateway or reverse proxy, requiring explicit operator.read scope verification upstream before requests reach the application.
Audit HTTP access logs for requests to /sessions/*/history from tokens without operator.read scope — treat any confirmed hits as potential data exposure incidents requiring notification review.
Rotate bearer tokens for deployments with an unknown exposure window.
Given 63 CVEs in this package, evaluate whether openclaw is appropriate for production use without a broader security review or migration plan.

Classification

Auth Bypass Data Extraction Agent API AML.T0049 - Exploit Public-Facing Application AML.T0085 - Data from AI Services AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.1.4 - Data access controls for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to address risks of AI system failures

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

Both involve openclaw's security model being abused to access sensitive data from the same platform ecosystem. The AIID #1368 incident documented credential exfiltration via malicious openclaw skills; this CVE's session history bypass could enable equivalent exfiltration of credentials captured within agent session histories, sharing the same attack surface and victim deployment base.

AIID #1368

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-35657?

openclaw's HTTP session history endpoint (/sessions/:sessionKey/history) authenticated bearer tokens but silently skipped the operator.read scope check enforced on the WebSocket path, meaning any valid token holder could read session histories regardless of their assigned permissions. In AI agent deployments, session histories routinely contain conversation transcripts, tool invocation outputs, and sensitive operational data — the exposure radius scales directly with what your agents handle. With 63 CVEs already documented in this package and an active ecosystem abuse incident (AIID #1368) showing malicious openclaw skills exfiltrating credentials from the same platform, this package deserves elevated scrutiny beyond this single issue. Patch immediately to 2026.3.25; if patching is blocked, restrict HTTP access to /sessions/*/history at the API gateway for tokens lacking operator.read scope, and audit existing HTTP access logs for unauthorized history reads.

Is CVE-2026-35657 actively exploited?

No confirmed active exploitation of CVE-2026-35657 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35657?

1. Upgrade openclaw to 2026.3.25 (fix commit 1c45123231516fa50f8cf8522ba5ff2fb2ca7aea enforces operator scope declarations for HTTP callers). 2. Interim workaround: block or ACL the /sessions/:sessionKey/history HTTP endpoint at the API gateway or reverse proxy, requiring explicit operator.read scope verification upstream before requests reach the application. 3. Audit HTTP access logs for requests to /sessions/*/history from tokens without operator.read scope — treat any confirmed hits as potential data exposure incidents requiring notification review. 4. Rotate bearer tokens for deployments with an unknown exposure window. 5. Given 63 CVEs in this package, evaluate whether openclaw is appropriate for production use without a broader security review or migration plan.

What systems are affected by CVE-2026-35657?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, API gateways, agentic pipelines.

What is the CVSS score for CVE-2026-35657?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary Gateway HTTP Session History Route Bypasses Operator Read Scope ## Affected Packages / Versions - Package: `openclaw` - Affected versions: `<= 2026.3.24` - First patched version: `2026.3.25` - Latest published npm version at verification time: `2026.3.24` ## Details The HTTP `/sessions/:sessionKey/history` route previously authenticated bearer tokens but skipped the same `operator.read` check used by `chat.history` over WebSocket. Commit `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea` makes HTTP callers declare operator scopes and rejects history reads that do not include `operator.read`. Verified vulnerable on tag `v2026.3.24` and fixed on `main` by commit `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea`. ## Fix Commit(s) - `1c45123231516fa50f8cf8522ba5ff2fb2ca7aea`

Exploitation Scenario

An adversary holding a valid but limited-scope bearer token — obtained through credential theft, a compromised service integration, or an insider account with only write permissions — crafts HTTP GET requests to /sessions/<sessionKey>/history. Unlike the WebSocket path, the HTTP handler validates the token signature but skips the operator.read scope assertion, returning full session histories. The adversary enumerates session keys through predictable patterns or by observing keys returned from other accessible endpoints, then silently exfiltrates conversation transcripts, tool call outputs, and agent decision chains. In multi-tenant deployments this enables cross-operator boundary traversal, effectively collapsing tenant isolation without triggering authentication failures.