AI Threat Alert

CVE-2026-35662: OpenClaw: missing auth enables agent scope bypass

MEDIUM
Published April 10, 2026
CISO Take

OpenClaw fails to validate the `controlScope` field on its `send` action, allowing any leaf subagent to message controlled child sessions it was never authorized to reach — a classic missing authorization flaw (CWE-862) applied to an AI agent orchestration trust boundary. In multi-agent pipelines the scope model is the primary isolation control; when it silently fails, an attacker with low-privilege access to a single leaf agent can inject instructions or extract responses across session boundaries without detection. Blast radius today is limited — only 4 known downstream dependents — but AIID #1368 demonstrates that OpenClaw's trust model has already attracted adversarial attention, with malicious skills exfiltrating credentials via the same ecosystem. Patch immediately to OpenClaw 2026.3.22 (commits 630f1479 and 7679eb37 are available); if patching is delayed, restrict the `send` action at the orchestration layer and audit inter-agent message logs for unexpected cross-scope traffic.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium overall, but elevated for organizations running multi-tenant or multi-principal OpenClaw deployments where agent isolation is a trust boundary. CVSS 4.3 accurately reflects the limited direct confidentiality/availability impact, but underweights the integrity risk in agentic pipelines where an unauthorized message to a child session can cascade into unauthorized tool invocations or data exfiltration. No public exploit, no CISA KEV entry, no Nuclei template — exploitation requires authenticated access and OpenClaw-specific knowledge, raising the effective bar to moderate sophistication. The 395 other CVEs in this package signal active security scrutiny; expect further disclosure.

How does the attack unfold?

Initial Access
Attacker obtains low-privilege authenticated access to an OpenClaw multi-agent deployment, either via compromised credentials or by controlling a leaf subagent through a malicious skill.
AML.T0012
Scope Bypass
Attacker crafts a send action targeting a controlled child session outside the leaf agent's registered controlScope; OpenClaw routes the message without validating the scope boundary.
AML.T0107
Unauthorized Agent Invocation
The privileged child session processes the injected message and executes the requested action — retrieving data, invoking tools, or returning sensitive context — as if the request were legitimate.
AML.T0053
Data Exfiltration / Impact
Responses from the privileged session flow back through the agent graph to the attacker-controlled leaf, enabling extraction of out-of-scope data or injection of unauthorized instructions into the pipeline.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

5 steps

  1. Patch: upgrade to OpenClaw ≥2026.3.22; both patch commits (630f1479, 7679eb37) are publicly available.

  2. If patching is blocked: add server-side validation of controlScope on every send action at the orchestration/gateway layer, rejecting any message whose sender's registered scope does not include the target session ID.

  3. Detection: audit application logs for send actions where the sender session and target session do not share a scope ancestry; alert on unexpected cross-scope messaging patterns.

  4. Inventory: enumerate all OpenClaw deployments and identify which run multi-scope topologies — single-scope flat deployments have no exploitable isolation boundary to cross.

  5. Monitor vendor advisory (GHSA-x2cm-hg9c-mf5w) for follow-on disclosures given the package's high CVE count.

How is it classified?

Auth Bypass Agent Framework AML.T0053 AML.T0107 AML.T0108

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.1.2 - AI system roles and access control
NIST AI RMF
GOVERN 1.3 - Organizational risk policies address AI-specific risks
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35662?

OpenClaw fails to validate the `controlScope` field on its `send` action, allowing any leaf subagent to message controlled child sessions it was never authorized to reach — a classic missing authorization flaw (CWE-862) applied to an AI agent orchestration trust boundary. In multi-agent pipelines the scope model is the primary isolation control; when it silently fails, an attacker with low-privilege access to a single leaf agent can inject instructions or extract responses across session boundaries without detection. Blast radius today is limited — only 4 known downstream dependents — but AIID #1368 demonstrates that OpenClaw's trust model has already attracted adversarial attention, with malicious skills exfiltrating credentials via the same ecosystem. Patch immediately to OpenClaw 2026.3.22 (commits 630f1479 and 7679eb37 are available); if patching is delayed, restrict the `send` action at the orchestration layer and audit inter-agent message logs for unexpected cross-scope traffic.

Is CVE-2026-35662 actively exploited?

No confirmed active exploitation of CVE-2026-35662 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35662?

1. Patch: upgrade to OpenClaw ≥2026.3.22; both patch commits (630f1479, 7679eb37) are publicly available. 2. If patching is blocked: add server-side validation of controlScope on every send action at the orchestration/gateway layer, rejecting any message whose sender's registered scope does not include the target session ID. 3. Detection: audit application logs for send actions where the sender session and target session do not share a scope ancestry; alert on unexpected cross-scope messaging patterns. 4. Inventory: enumerate all OpenClaw deployments and identify which run multi-scope topologies — single-scope flat deployments have no exploitable isolation boundary to cross. 5. Monitor vendor advisory (GHSA-x2cm-hg9c-mf5w) for follow-on disclosures given the package's high CVE count.

What systems are affected by CVE-2026-35662?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent systems, RAG pipelines, agentic tool-use pipelines.

What is the CVSS score for CVE-2026-35662?

CVE-2026-35662 has a CVSS v3.1 base score of 4.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent systemsRAG pipelinesagentic tool-use pipelines

MITRE ATLAS Techniques

AML.T0053 AI Agent Tool Invocation
AML.T0107 Exploitation for Defense Evasion
AML.T0108 AI Agent

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.1.2
NIST AI RMF: GOVERN 1.3
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing leaf subagents to message controlled child sessions beyond their authorized scope. Attackers can exploit this by using the send action to communicate with child sessions without proper scope validation, bypassing intended access control restrictions.

Exploitation Scenario

An attacker obtains low-privilege credentials for an OpenClaw deployment — for example, via a compromised user account or a malicious skill injected into the ecosystem (as documented in AIID #1368). From that foothold they control or influence a leaf subagent configured with a narrow controlScope (e.g., only authorized to interact with a public-data retrieval session). They craft a send action targeting a privileged child session — say, an internal compliance document retrieval agent — that the leaf was never authorized to reach. Because OpenClaw fails to validate the scope boundary, the message is delivered and the privileged session processes it, returning sensitive documents or executing restricted tool calls. The attacker collects the responses from the leaf agent's context, exfiltrating data without ever directly authenticating to the privileged session.

Weaknesses (CWE)

CWE-862 Missing Authorization

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

Timeline

Published
April 10, 2026
Last Modified
June 23, 2026
First Seen
June 23, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
Back to Threat Feed