CVE-2026-35661: OpenClaw auth bypass mutates AI

CISO Take

OpenClaw's Telegram integration contains an authorization bypass (CWE-288) where callback query handlers enforce weaker access controls than the DM pairing flow, allowing any unauthenticated remote attacker to arbitrarily mutate agent session state without completing the pairing handshake. The zero-privilege network vector (AV:N/AC:L/PR:N/UI:N) makes this exploitable with minimal skill — no account, no prior access, and no user interaction required. Although EPSS data is unavailable and tracked downstream dependents number only 4, OpenClaw is classified as an AI agent framework where session-state manipulation directly influences autonomous task execution, meaning the operational blast radius meaningfully exceeds what the CVSS 5.3 score alone suggests. Upgrade to OpenClaw 2026.3.25 (patch commit 269282ac) immediately; if patching is delayed, restrict the Telegram bot to allow-listed user IDs at the infrastructure level or disable inline button callback handling entirely.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium CVSS (5.3) understates real-world risk in agentic deployments. The attack requires no authentication, no elevated privileges, and no user interaction — the weakest possible precondition set. The sole saving grace is the limited current package footprint (4 dependents, no CISA KEV listing, no public exploit or scanner template). However, in AI agent architectures, session state is the control plane for task execution: an attacker who can write arbitrary state effectively co-pilots the agent without leaving an obvious authentication log trail. The 395 other CVEs in the same package signal a broader pattern of security debt that warrants scrutiny beyond this single issue.

How does the attack unfold?

Discovery

Attacker identifies a publicly accessible OpenClaw-powered Telegram bot via Telegram search, public repository references, or passive enumeration of known bot usernames.

AML.T0006

Authorization Bypass

Attacker sends a crafted inline button callback query to the bot's callback handler endpoint, bypassing DM pairing requirements through the weaker callback-only authorization path (CWE-288).

AML.T0049

Session State Poisoning

The unauthenticated callback is processed and arbitrary attacker-supplied values are written into the active agent session, replacing legitimate task context with adversary-controlled state.

AML.T0080

Agent Abuse

The agent proceeds with poisoned session state, executing subsequent tool invocations, API calls, or multi-step workflow actions under attacker-controlled parameters without the session owner's awareness.

AML.T0053

Discovery

Attacker identifies a publicly accessible OpenClaw-powered Telegram bot via Telegram search, public repository references, or passive enumeration of known bot usernames.

AML.T0006

Authorization Bypass

Attacker sends a crafted inline button callback query to the bot's callback handler endpoint, bypassing DM pairing requirements through the weaker callback-only authorization path (CWE-288).

AML.T0049

Session State Poisoning

The unauthenticated callback is processed and arbitrary attacker-supplied values are written into the active agent session, replacing legitimate task context with adversary-controlled state.

AML.T0080

Agent Abuse

The agent proceeds with poisoned session state, executing subsequent tool invocations, API calls, or multi-step workflow actions under attacker-controlled parameters without the session owner's awareness.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A None

What should I do?

5 steps

Patch immediately: upgrade OpenClaw to 2026.3.25 or apply patch commit 269282ac69ab6030d5f30d04822668f607f13065 from the upstream repository.
If patching is not immediately possible, restrict Telegram bot access to a hard allow-list of user/chat IDs at the bot configuration level; block all unknown callback query senders at the application boundary.
Audit session state logs for unexpected mutations — look for state transitions not preceded by a completed DM pairing handshake.
Review tool permission scopes granted to the agent; temporarily revoke write-capable tool access until patched.
Monitor the vendor security advisory at GHSA-j4c9-w69r-cw33 and the VulnCheck advisory for exploitation indicators or updated EPSS data.

How is it classified?

Auth Bypass Agent AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI System Security

NIST AI RMF

MANAGE-2.2 - Risk Treatments for AI Trustworthiness

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-35661?

OpenClaw's Telegram integration contains an authorization bypass (CWE-288) where callback query handlers enforce weaker access controls than the DM pairing flow, allowing any unauthenticated remote attacker to arbitrarily mutate agent session state without completing the pairing handshake. The zero-privilege network vector (AV:N/AC:L/PR:N/UI:N) makes this exploitable with minimal skill — no account, no prior access, and no user interaction required. Although EPSS data is unavailable and tracked downstream dependents number only 4, OpenClaw is classified as an AI agent framework where session-state manipulation directly influences autonomous task execution, meaning the operational blast radius meaningfully exceeds what the CVSS 5.3 score alone suggests. Upgrade to OpenClaw 2026.3.25 (patch commit 269282ac) immediately; if patching is delayed, restrict the Telegram bot to allow-listed user IDs at the infrastructure level or disable inline button callback handling entirely.

Is CVE-2026-35661 actively exploited?

No confirmed active exploitation of CVE-2026-35661 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35661?

1. Patch immediately: upgrade OpenClaw to 2026.3.25 or apply patch commit 269282ac69ab6030d5f30d04822668f607f13065 from the upstream repository. 2. If patching is not immediately possible, restrict Telegram bot access to a hard allow-list of user/chat IDs at the bot configuration level; block all unknown callback query senders at the application boundary. 3. Audit session state logs for unexpected mutations — look for state transitions not preceded by a completed DM pairing handshake. 4. Review tool permission scopes granted to the agent; temporarily revoke write-capable tool access until patched. 5. Monitor the vendor security advisory at GHSA-j4c9-w69r-cw33 and the VulnCheck advisory for exploitation indicators or updated EPSS data.

What systems are affected by CVE-2026-35661?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, conversational AI interfaces, Telegram bot integrations, multi-step agentic workflows.

What is the CVSS score for CVE-2026-35661?

CVE-2026-35661 has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksconversational AI interfacesTelegram bot integrationsmulti-step agentic workflows

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0080 AI Agent Context Poisoning

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state.

Exploitation Scenario

An attacker identifies a public-facing Telegram bot powered by OpenClaw — discoverable via Telegram search or by enumerating bot usernames referenced in public repositories. Without initiating a DM pairing handshake, the attacker crafts a Telegram inline button callback query containing a manipulated session payload and sends it directly to the bot's callback handler endpoint. The handler, relying on weaker callback-only authorization, processes the request and writes the attacker-supplied state into the active session. The attacker then leverages the poisoned session to redirect the agent's next autonomous task — for example, altering a pending API call target, injecting a prompt into the agent's working memory, or triggering a tool invocation against an attacker-controlled endpoint — all without the legitimate session owner being notified.

Weaknesses (CWE)

CWE-288 Authentication Bypass Using an Alternate Path or Channel

CWE-288 — Authentication Bypass Using an Alternate Path or Channel: The product requires authentication, but the product has an alternate path or channel that does not require authentication.

[Architecture and Design] Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

Source: MITRE CWE corpus.