CVE-2026-35663: OpenClaw privilege escalation to

CISO Take

CVE-2026-35663 is a high-severity (CVSS 8.8) privilege escalation in OpenClaw, an AI agent framework, where any authenticated operator can self-claim admin-level scopes by manipulating scope requests during backend reconnection — no pairing verification required. The attack is network-accessible, requires only low privileges, and demands no user interaction, making it trivially exploitable by any operator-level account. Although EPSS data is unavailable and this is not yet in CISA KEV, the companion AIID #1368 incident documents active adversarial abuse of OpenClaw's skills ecosystem to distribute credential-stealing malware — admin-level compromise via this flaw would dramatically amplify that attack surface. Upgrade to OpenClaw 2026.3.25 (patch commit d3d8e316) immediately; if patching is delayed, restrict backend reconnect endpoints at the network layer and audit all operator accounts for unauthorized scope escalations.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High risk. CVSS 8.8 with network vector, low attack complexity, and no user interaction reflects near-trivial exploitability for any operator-level account holder. AI agent frameworks like OpenClaw typically hold elevated system permissions — access to external APIs, stored credentials, data sources, and tool invocations — meaning admin-level compromise carries substantially higher blast radius than a typical application privilege escalation. With 395 prior CVEs in the same package, the overall security posture of this package warrants serious long-term scrutiny beyond patching this single CVE.

How does the attack unfold?

Initial Access

Attacker obtains a valid low-privilege operator account for the target OpenClaw deployment via credential theft, phishing, or insider access.

AML.T0012

Exploitation

During backend reconnection, attacker self-requests operator.admin scope in the reconnect handshake, bypassing pairing verification due to CWE-648 incorrect privileged API usage.

AML.T0049

Persistence & Config Tampering

With admin access secured, attacker modifies agent configuration and installs malicious skills to maintain persistent access and expand operational capabilities.

AML.T0081

Credential Harvest & Exfiltration

Admin access enables extraction of all credentials stored in agent configurations — API keys, service tokens, secrets — enabling lateral movement to all systems integrated with the agent.

AML.T0083

Initial Access

Attacker obtains a valid low-privilege operator account for the target OpenClaw deployment via credential theft, phishing, or insider access.

AML.T0012

Exploitation

During backend reconnection, attacker self-requests operator.admin scope in the reconnect handshake, bypassing pairing verification due to CWE-648 incorrect privileged API usage.

AML.T0049

Persistence & Config Tampering

With admin access secured, attacker modifies agent configuration and installs malicious skills to maintain persistent access and expand operational capabilities.

AML.T0081

Credential Harvest & Exfiltration

Admin access enables extraction of all credentials stored in agent configurations — API keys, service tokens, secrets — enabling lateral movement to all systems integrated with the agent.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch immediately: upgrade to OpenClaw 2026.3.25 or apply commit d3d8e316bd819d3c7e34253aeb7eccb2510f5f48 from the vendor advisory.
If patching is delayed: restrict or block access to backend reconnect endpoints at the network or firewall level and limit operator account creation to the minimum necessary.
Audit all existing operator accounts and review backend reconnect logs for unexpected scope escalations or operator.admin reconnection events.
Rotate all credentials stored in OpenClaw agent configurations, since a compromised admin account enables harvesting of every agent-configured secret.
Review installed skills and plugins for signs of tampering consistent with the AIID #1368 credential-stealer pattern.
Implement alerting on anomalous backend reconnect events or unexpected admin-level API calls going forward.

How is it classified?

Auth Bypass Code Execution Agent AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Access control for AI systems

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35663?

CVE-2026-35663 is a high-severity (CVSS 8.8) privilege escalation in OpenClaw, an AI agent framework, where any authenticated operator can self-claim admin-level scopes by manipulating scope requests during backend reconnection — no pairing verification required. The attack is network-accessible, requires only low privileges, and demands no user interaction, making it trivially exploitable by any operator-level account. Although EPSS data is unavailable and this is not yet in CISA KEV, the companion AIID #1368 incident documents active adversarial abuse of OpenClaw's skills ecosystem to distribute credential-stealing malware — admin-level compromise via this flaw would dramatically amplify that attack surface. Upgrade to OpenClaw 2026.3.25 (patch commit d3d8e316) immediately; if patching is delayed, restrict backend reconnect endpoints at the network layer and audit all operator accounts for unauthorized scope escalations.

Is CVE-2026-35663 actively exploited?

No confirmed active exploitation of CVE-2026-35663 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35663?

1. Patch immediately: upgrade to OpenClaw 2026.3.25 or apply commit d3d8e316bd819d3c7e34253aeb7eccb2510f5f48 from the vendor advisory. 2. If patching is delayed: restrict or block access to backend reconnect endpoints at the network or firewall level and limit operator account creation to the minimum necessary. 3. Audit all existing operator accounts and review backend reconnect logs for unexpected scope escalations or operator.admin reconnection events. 4. Rotate all credentials stored in OpenClaw agent configurations, since a compromised admin account enables harvesting of every agent-configured secret. 5. Review installed skills and plugins for signs of tampering consistent with the AIID #1368 credential-stealer pattern. 6. Implement alerting on anomalous backend reconnect events or unexpected admin-level API calls going forward.

What systems are affected by CVE-2026-35663?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent deployments, agentic AI pipelines.

What is the CVSS score for CVE-2026-35663?

CVE-2026-35663 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent deploymentsagentic AI pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.2

NIST AI RMF: GOVERN 1.1

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.

Exploitation Scenario

An adversary with a legitimate but low-privilege operator account — obtained through credential theft, phishing, or an insider — initiates a backend reconnect to the target OpenClaw instance. During the reconnect handshake, they modify the scope parameter to claim operator.admin privileges. Because OpenClaw fails to validate that the requested scope matches the operator's authorized scope and does not enforce pairing requirements during reconnection (CWE-648), the elevated scope is granted without further challenge. The attacker now has full administrative control: they enumerate all agent configurations and stored credentials, install a malicious skill to maintain persistence (mirroring the AIID #1368 pattern), and exfiltrate all data accessible to the agent. In an enterprise context where OpenClaw agents are connected to internal systems, this translates into broad lateral movement and data exfiltration capability.

Weaknesses (CWE)

CWE-648 Incorrect Use of Privileged APIs

CWE-648 — Incorrect Use of Privileged APIs: The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

[Implementation] Before calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call.
[Architecture and Design] Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely.

Source: MITRE CWE corpus.