CVE-2026-35669: OpenClaw privilege escalation

CISO Take

CVE-2026-35669 is a privilege escalation flaw in OpenClaw, an AI agent framework, where gateway-authenticated plugin HTTP routes incorrectly mint operator.admin runtime scope regardless of the caller's actual granted permissions — meaning any authenticated user with the lowest access tier can silently obtain full administrative control. The CVSS 8.8 score reflects a network-accessible, low-complexity exploit requiring only a valid low-privilege account and no user interaction, placing this in the highest-urgency patch tier for any organisation running AI agent workflows on this stack. While no public exploit currently exists and the vulnerability is absent from CISA KEV, the trivially low exploitation barrier is compounded by OpenClaw's documented plugin ecosystem abuse (AIID #1368: malicious skills delivering credential-stealing malware via ClawHub), making this a realistic stepping stone to agent hijacking and data exfiltration. Upgrade to OpenClaw 2026.3.25 or later immediately via patch commit ec2dbcff; if patching is delayed, restrict network access to plugin HTTP routes at the perimeter and audit logs for unexpected operator.admin scope grants.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 8.8 (High) with AV:N/AC:L/PR:L/UI:N yields one of the most exploitable privilege escalation profiles — any authenticated session is a potential attack vector. For AI agent deployments the blast radius extends well beyond traditional privilege escalation: operator.admin scope in an agent framework typically controls plugin lifecycle, agent configuration, and tool invocation authority over connected external systems. The 395 prior CVEs catalogued against this package signal systemic security debt in the codebase, increasing the probability of compound exploit chains. No public exploit or active exploitation evidence reduces immediate wildfire risk, but the zero-skill-requirement exploitation profile means weaponisation can occur quickly once details circulate.

How does the attack unfold?

Initial Access

Attacker authenticates to OpenClaw with a low-privilege account obtained via phishing, credential stuffing, or self-registration on a multi-tenant instance.

AML.T0012

Exploitation

Attacker sends an HTTP request to a gateway-authenticated plugin HTTP route; the vulnerable scope-minting logic issues an operator.admin runtime token ignoring the caller's actual permission grants.

AML.T0049

Privilege Escalation

Attacker holds an operator.admin application access token, granting full control over agent configurations, plugin lifecycle, and tool invocation authority.

AML.T0091.000

Impact

Attacker installs a malicious plugin to harvest credentials and sensitive data from active agent sessions, or reconfigures agent tool integrations to exfiltrate RAG-indexed data to an attacker-controlled endpoint.

AML.T0081

Initial Access

Attacker authenticates to OpenClaw with a low-privilege account obtained via phishing, credential stuffing, or self-registration on a multi-tenant instance.

AML.T0012

Exploitation

Attacker sends an HTTP request to a gateway-authenticated plugin HTTP route; the vulnerable scope-minting logic issues an operator.admin runtime token ignoring the caller's actual permission grants.

AML.T0049

Privilege Escalation

Attacker holds an operator.admin application access token, granting full control over agent configurations, plugin lifecycle, and tool invocation authority.

AML.T0091.000

Impact

Attacker installs a malicious plugin to harvest credentials and sensitive data from active agent sessions, or reconfigures agent tool integrations to exfiltrate RAG-indexed data to an attacker-controlled endpoint.

AML.T0081

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Upgrade OpenClaw to version 2026.3.25 or later — patch commit ec2dbcff9afd8a52e00de054b506c91726d9fbbe corrects the scope minting logic in gateway plugin HTTP route handlers.
If immediate patching is blocked, restrict network-layer access to OpenClaw plugin HTTP routes to explicitly trusted IP ranges via firewall ACL or reverse proxy allowlist.
Audit authentication and authorisation logs for accounts that exercised operator.admin scope without having been explicitly granted admin privileges — focus on the window between 2026-04-10 (publish date) and patch application.
Rotate credentials and API tokens that were accessible via admin scope during the exposure window.
Review all installed plugins against AIID #1368 indicators: skills with unexpected network egress, credential file access, or AMOS stealer signatures.
Implement scope-anomaly alerting in your SIEM to flag future mismatches between granted and exercised runtime scopes.

How is it classified?

Auth Bypass Data Extraction Agent Plugin AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.3 - AI System Access Control and Authorisation

NIST AI RMF

MANAGE 2.2 - AI Risk Mitigation and Response

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35669?

CVE-2026-35669 is a privilege escalation flaw in OpenClaw, an AI agent framework, where gateway-authenticated plugin HTTP routes incorrectly mint operator.admin runtime scope regardless of the caller's actual granted permissions — meaning any authenticated user with the lowest access tier can silently obtain full administrative control. The CVSS 8.8 score reflects a network-accessible, low-complexity exploit requiring only a valid low-privilege account and no user interaction, placing this in the highest-urgency patch tier for any organisation running AI agent workflows on this stack. While no public exploit currently exists and the vulnerability is absent from CISA KEV, the trivially low exploitation barrier is compounded by OpenClaw's documented plugin ecosystem abuse (AIID #1368: malicious skills delivering credential-stealing malware via ClawHub), making this a realistic stepping stone to agent hijacking and data exfiltration. Upgrade to OpenClaw 2026.3.25 or later immediately via patch commit ec2dbcff; if patching is delayed, restrict network access to plugin HTTP routes at the perimeter and audit logs for unexpected operator.admin scope grants.

Is CVE-2026-35669 actively exploited?

No confirmed active exploitation of CVE-2026-35669 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35669?

1. Upgrade OpenClaw to version 2026.3.25 or later — patch commit ec2dbcff9afd8a52e00de054b506c91726d9fbbe corrects the scope minting logic in gateway plugin HTTP route handlers. 2. If immediate patching is blocked, restrict network-layer access to OpenClaw plugin HTTP routes to explicitly trusted IP ranges via firewall ACL or reverse proxy allowlist. 3. Audit authentication and authorisation logs for accounts that exercised operator.admin scope without having been explicitly granted admin privileges — focus on the window between 2026-04-10 (publish date) and patch application. 4. Rotate credentials and API tokens that were accessible via admin scope during the exposure window. 5. Review all installed plugins against AIID #1368 indicators: skills with unexpected network egress, credential file access, or AMOS stealer signatures. 6. Implement scope-anomaly alerting in your SIEM to flag future mismatches between granted and exercised runtime scopes.

What systems are affected by CVE-2026-35669?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Plugin-based agent orchestration, API gateway integrations, Multi-tenant AI platforms, RAG pipelines.

What is the CVSS score for CVE-2026-35669?

CVE-2026-35669 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksPlugin-based agent orchestrationAPI gateway integrationsMulti-tenant AI platformsRAG pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions.

Exploitation Scenario

An attacker with a low-privilege OpenClaw account — obtained via credential phishing, a leaked integration token, or self-registration on a multi-tenant instance — sends an ordinary HTTP request to any gateway-authenticated plugin route. The vulnerable scope-assignment logic issues an operator.admin runtime token without validating the caller's actual permission grants. Armed with admin scope, the attacker installs a malicious plugin mirroring the AIID #1368 attack pattern: the plugin silently harvests credentials and sensitive context data processed by active AI agent sessions, or modifies existing agent configurations to redirect tool outputs to an attacker-controlled endpoint. In enterprise environments where the OpenClaw agent holds access to internal databases, code execution environments, or customer data via RAG, this pivot enables sustained data exfiltration with no user-facing anomalies and no need for further exploitation.

Weaknesses (CWE)

CWE-648 Incorrect Use of Privileged APIs

CWE-648 — Incorrect Use of Privileged APIs: The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

[Implementation] Before calling privileged APIs, always ensure that the assumptions made by the privileged code hold true prior to making the call.
[Architecture and Design] Know architecture and implementation weaknesses of the privileged APIs and make sure to account for these weaknesses before calling the privileged APIs to ensure that they can be called safely.

Source: MITRE CWE corpus.