CVE-2026-35667: OpenClaw SIGKILL bypass skips

CISO Take

OpenClaw's built-in !stop chat command triggers an unpatched killProcessTree function in shell-utils.ts that sends SIGKILL immediately — bypassing graceful SIGTERM shutdown and skipping all security-sensitive cleanup routines. Any local user with low privileges can invoke this command to corrupt in-progress agent state, cause resource leaks, and leave temporary credential or session artifacts undeleted on disk. With low attack complexity and no user interaction required, the operational and integrity risk is real for teams running OpenClaw in shared or multi-user environments — particularly given that this is an incomplete fix (patch bypass of CVE-2026-27486), meaning organizations that applied the prior patch may believe they are protected when they are not. Upgrade to OpenClaw ≥ 2026.3.24 immediately and audit temp directories for leftover session artifacts from previously abrupt-terminated agent processes.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium risk overall, but the incomplete-fix nature elevates urgency above the raw CVSS 6.1 score suggests. The local attack vector limits internet-facing exposure, but low privileges required and zero user interaction make exploitation trivial for any insider or co-tenant on shared compute. The high availability impact (A:H) combined with integrity impact (I:L) is operationally significant for AI agent deployments where abrupt termination corrupts active sessions and leaves sensitive cleanup undone. No CISA KEV entry, no public exploit, and 4 downstream dependents keep this in the patch-promptly-but-not-panic category. The skip of security-sensitive cleanup operations is the highest-consequence aspect — depending on what those handlers clear, this could escalate to credential exposure.

How does the attack unfold?

Local Access

Attacker obtains low-privilege local access to a shared system running an active OpenClaw AI agent session, exploiting insider position or shared-compute environment.

AML.T0012

Tool Invocation

Attacker issues the !stop chat command to OpenClaw, triggering the unpatched killProcessTree function in shell-utils.ts that was not covered by the CVE-2026-27486 fix.

AML.T0053

Abrupt Termination

SIGKILL is sent immediately to the entire agent process tree, bypassing all graceful shutdown handlers and security-sensitive cleanup routines without any recovery window.

AML.T0029

Impact

Agent state is corrupted, resource leaks persist, audit logs lose pending entries, and leftover credential or session artifacts remain on disk — enabling credential harvesting and compliance gap exploitation.

AML.T0101

Local Access

Attacker obtains low-privilege local access to a shared system running an active OpenClaw AI agent session, exploiting insider position or shared-compute environment.

AML.T0012

Tool Invocation

Attacker issues the !stop chat command to OpenClaw, triggering the unpatched killProcessTree function in shell-utils.ts that was not covered by the CVE-2026-27486 fix.

AML.T0053

Abrupt Termination

SIGKILL is sent immediately to the entire agent process tree, bypassing all graceful shutdown handlers and security-sensitive cleanup routines without any recovery window.

AML.T0029

Impact

Agent state is corrupted, resource leaks persist, audit logs lose pending entries, and leftover credential or session artifacts remain on disk — enabling credential harvesting and compliance gap exploitation.

AML.T0101

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I Low

A High

What should I do?

5 steps

Patch: upgrade OpenClaw to ≥ 2026.3.24 which contains the complete fix for both CVE-2026-27486 and this bypass.
Workaround: restrict the !stop command via OpenClaw's permission or role configuration to prevent untrusted local users from invoking it.
Audit: inspect temp directories and session artifact paths used by OpenClaw for leftover credential or token files from previously abrupt-terminated sessions.
Detection: monitor system logs for unexpected SIGKILL signals on OpenClaw processes; grep for killProcessTree invocations in shell-utils.ts execution logs.
Downstream: verify the 4 dependent packages are also updated and do not expose their own !stop-equivalent command surfaces.

How is it classified?

DoS Data Leakage Agent AML.T0029 - Denial of AI Service AML.T0053 - AI Agent Tool Invocation AML.T0101 - Data Destruction via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.4 - AI system operation

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of AI systems are examined and applied

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-35667?

OpenClaw's built-in !stop chat command triggers an unpatched killProcessTree function in shell-utils.ts that sends SIGKILL immediately — bypassing graceful SIGTERM shutdown and skipping all security-sensitive cleanup routines. Any local user with low privileges can invoke this command to corrupt in-progress agent state, cause resource leaks, and leave temporary credential or session artifacts undeleted on disk. With low attack complexity and no user interaction required, the operational and integrity risk is real for teams running OpenClaw in shared or multi-user environments — particularly given that this is an incomplete fix (patch bypass of CVE-2026-27486), meaning organizations that applied the prior patch may believe they are protected when they are not. Upgrade to OpenClaw ≥ 2026.3.24 immediately and audit temp directories for leftover session artifacts from previously abrupt-terminated agent processes.

Is CVE-2026-35667 actively exploited?

No confirmed active exploitation of CVE-2026-35667 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35667?

1. Patch: upgrade OpenClaw to ≥ 2026.3.24 which contains the complete fix for both CVE-2026-27486 and this bypass. 2. Workaround: restrict the !stop command via OpenClaw's permission or role configuration to prevent untrusted local users from invoking it. 3. Audit: inspect temp directories and session artifact paths used by OpenClaw for leftover credential or token files from previously abrupt-terminated sessions. 4. Detection: monitor system logs for unexpected SIGKILL signals on OpenClaw processes; grep for killProcessTree invocations in shell-utils.ts execution logs. 5. Downstream: verify the 4 dependent packages are also updated and do not expose their own !stop-equivalent command surfaces.

What systems are affected by CVE-2026-35667?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, local AI agent deployments, AI chat interfaces, multi-user AI workstations, shared AI compute environments.

What is the CVSS score for CVE-2026-35667?

CVE-2026-35667 has a CVSS v3.1 base score of 6.1 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworkslocal AI agent deploymentsAI chat interfacesmulti-user AI workstationsshared AI compute environments

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0053 AI Agent Tool Invocation

AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcessTree function from shell-utils.ts that sends SIGKILL immediately without graceful SIGTERM shutdown. Attackers can trigger process termination via the !stop command, causing data corruption, resource leaks, and skipped security-sensitive cleanup operations.

Exploitation Scenario

An insider threat or low-privilege user co-located on a server running OpenClaw accesses the chat interface and issues the !stop command during an active AI agent session that is processing sensitive data — API credentials, database connection strings, or user PII in a RAG pipeline. The unpatched killProcessTree function immediately sends SIGKILL to the entire agent process tree, bypassing all graceful shutdown handlers. Cleanup routines that would have deleted temporary credential caches, revoked ephemeral tokens, or flushed pending audit log entries are skipped entirely. The attacker then harvests leftover artifacts from the temp directory. Simultaneously, any in-progress database transactions are rolled back with potential data corruption, disrupting compliance logging. The attacker can repeat this at will — the vulnerability requires no special tooling, only access to the chat interface.

Weaknesses (CWE)

CWE-404 Improper Resource Shutdown or Release

CWE-404 — Improper Resource Shutdown or Release: The product does not release or incorrectly releases a resource before it is made available for re-use.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
[Implementation] It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.

Source: MITRE CWE corpus.