AI Threat Alert

CVE-2026-35664: OpenClaw: auth bypass enables unauthorized callback injection

MEDIUM
Published April 10, 2026
CISO Take

CVE-2026-35664 is an authentication bypass (CWE-288) in OpenClaw's raw card send surface that lets any unauthenticated, network-accessible attacker mint legacy callback payloads for arbitrary recipients without completing the required DM pairing handshake. The CVSS 5.3 Medium score understates contextual risk: in an AI agent framework, unauthorized callback invocation can cascade into downstream agent tool calls and workflow manipulation operating under the agent's full authorized scope. OpenClaw carries 395 tracked CVEs in this package and a documented ecosystem abuse incident (AIID #1368) where malicious skills delivered credential stealers — signaling this platform's attack surface is under sustained adversarial attention, even with no public exploit or KEV listing for this specific issue. Teams running OpenClaw should upgrade to version 2026.3.25 or later immediately and audit callback handler logs for invocations originating outside established pairing sessions.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium technical severity (CVSS 5.3), elevated contextual risk in AI agent deployments. The CVSS vector AV:N/AC:L/PR:N/UI:N means network-exploitable by an unauthenticated attacker with no complexity barrier — a trivially low exploitation bar. The integrity-only impact rating (I:L) understates AI-specific exposure: unauthorized callback invocation in an agent orchestration context can trigger agent tool calls, data retrieval, and workflow steps far beyond what the CVSS impact column captures. Blast radius is currently limited to 4 tracked downstream dependents. However, OpenClaw's 395-CVE history and AIID #1368's malicious skills campaign on the same platform indicate active adversarial interest. Risk rating: Medium-High for organizations where OpenClaw participates in production agent workflows.

How does the attack unfold?

Initial Access
Attacker identifies a network-accessible OpenClaw endpoint and sends a crafted raw card command targeting a recipient without completing the DM pairing handshake.
AML.T0049
Authentication Bypass
The legacy callback path accepts the raw card command without validating pairing status, minting and routing a callback payload to the targeted recipient's handler.
AML.T0107
Unauthorized Agent Execution
The callback handler executes within the OpenClaw agent's authorized context, invoking downstream tool calls, data operations, or inter-agent workflow steps on behalf of the unauthenticated attacker.
AML.T0053
Impact
Agent performs unauthorized workflow actions or serves as a delivery channel for additional malicious payloads — consistent with the AIID #1368 pattern of malicious skill delivery through OpenClaw's extensibility surface.
AML.T0048

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I Low
A None

What should I do?

5 steps

  1. Patch immediately: Upgrade OpenClaw to 2026.3.25 or later (patch commit 81c45976db532324b5a0918a70decc19520dc354 on GitHub).

  2. Network hardening: If patching is delayed, restrict network access to OpenClaw endpoints to verified agent peers only; apply firewall ACLs or mTLS between agent nodes to compensate for the missing pairing validation.

  3. Detection: Enable verbose callback handler logging; alert on any raw card command received outside an established DM pairing session or from unrecognized sender identities.

  4. Skill/callback inventory audit: Cross-reference installed OpenClaw skills against known-good sources given AIID #1368's precedent of malicious skills exploiting this platform's ecosystem — treat any suspected exploitation as a potential skill-layer pivot.

  5. Post-patch verification: Confirm the upgrade applied correctly by testing that unpaired raw card commands are rejected at the surface layer before returning to normal monitoring posture.

How is it classified?

Auth Bypass Agent AML.T0049 AML.T0053 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Access control for AI systems
NIST AI RMF
GOVERN 1.7 - Processes for secure AI system development and operation
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35664?

CVE-2026-35664 is an authentication bypass (CWE-288) in OpenClaw's raw card send surface that lets any unauthenticated, network-accessible attacker mint legacy callback payloads for arbitrary recipients without completing the required DM pairing handshake. The CVSS 5.3 Medium score understates contextual risk: in an AI agent framework, unauthorized callback invocation can cascade into downstream agent tool calls and workflow manipulation operating under the agent's full authorized scope. OpenClaw carries 395 tracked CVEs in this package and a documented ecosystem abuse incident (AIID #1368) where malicious skills delivered credential stealers — signaling this platform's attack surface is under sustained adversarial attention, even with no public exploit or KEV listing for this specific issue. Teams running OpenClaw should upgrade to version 2026.3.25 or later immediately and audit callback handler logs for invocations originating outside established pairing sessions.

Is CVE-2026-35664 actively exploited?

No confirmed active exploitation of CVE-2026-35664 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35664?

1. Patch immediately: Upgrade OpenClaw to 2026.3.25 or later (patch commit 81c45976db532324b5a0918a70decc19520dc354 on GitHub). 2. Network hardening: If patching is delayed, restrict network access to OpenClaw endpoints to verified agent peers only; apply firewall ACLs or mTLS between agent nodes to compensate for the missing pairing validation. 3. Detection: Enable verbose callback handler logging; alert on any raw card command received outside an established DM pairing session or from unrecognized sender identities. 4. Skill/callback inventory audit: Cross-reference installed OpenClaw skills against known-good sources given AIID #1368's precedent of malicious skills exploiting this platform's ecosystem — treat any suspected exploitation as a potential skill-layer pivot. 5. Post-patch verification: Confirm the upgrade applied correctly by testing that unpaired raw card commands are rejected at the surface layer before returning to normal monitoring posture.

What systems are affected by CVE-2026-35664?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration systems, AI agent-to-agent communication pipelines.

What is the CVSS score for CVE-2026-35664?

CVE-2026-35664 has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestration systemsAI agent-to-agent communication pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: GOVERN 1.7
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization.

Exploitation Scenario

An attacker enumerates an organization's network and identifies a publicly reachable OpenClaw agent endpoint via port scan or passive OSINT on the organization's AI agent stack. Without credentials or prior pairing, the attacker crafts a raw card command targeting a known or enumerated recipient identity within the OpenClaw deployment. The legacy callback path accepts the payload, bypassing the pairing validation gate, and invokes the target's callback handler. The handler executes within the agent's authorized execution context — potentially triggering downstream tool calls, data retrieval operations, or inter-agent messages that the attacker could not initiate through legitimate channels. Following the AIID #1368 pattern, a sophisticated attacker could use this foothold to deliver a malicious skill payload through the now-trusted callback channel, establishing persistence within the agent workflow.

Weaknesses (CWE)

CWE-288 Authentication Bypass Using an Alternate Path or Channel

CWE-288 — Authentication Bypass Using an Alternate Path or Channel: The product requires authentication, but the product has an alternate path or channel that does not require authentication.

  • [Architecture and Design] Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Timeline

Published
April 10, 2026
Last Modified
June 23, 2026
First Seen
June 23, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
Back to Threat Feed