OpenClaw: scope bypass enables full agent admin takeover — HIGH (CVE-2026-35674)

CISO Take

OpenClaw's Gateway chat.send route contains a CWE-863 authorization flaw that lets any user with operator.write scope invoke privileged commands gated behind operator.approvals and operator.admin, giving a low-privilege operator full administrative control over plugins, MCP servers, allowlists, and agent configurations. The blast radius is significant: any OpenClaw deployment where operators are granted write scope is exposed to complete platform takeover, including silent modification of MCP tool configurations that could redirect agent behavior or introduce backdoored plugins without triggering any approval workflow. With CVSS 8.8, network-exploitable, no user interaction required, and trivial exploitation complexity, this is a realistic insider-threat and compromised-credential vector — no public exploit code or active exploitation has been observed, but the attack path requires only an existing operator.write credential and knowledge of the inherited route chain. Upgrade immediately to OpenClaw 2026.5.18 or later; as a stopgap, audit and restrict all operator.write scope grants and monitor for anomalous plugin or MCP configuration changes.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.8 with network attack vector, low complexity, and low privilege requirement makes this broadly exploitable in any multi-user or multi-tenant OpenClaw deployment. The bypass specifically targets the approval workflows designed to gate high-impact changes, meaning the primary control preventing unauthorized platform mutations is fully circumvented. AI agent systems are particularly sensitive to this class of flaw because MCP and plugin modifications can silently alter agent behavior at scale without triggering user-visible alerts, and the effects persist across sessions.

Attack Kill Chain

Authenticated Access

Attacker authenticates to OpenClaw using a compromised or legitimately held operator.write scope credential — the minimum privilege level required to trigger the bypass.

AML.T0012

Scope Bypass via Route Inheritance

Attacker sends a crafted payload through the Gateway chat.send route that invokes inherited external routes, causing the authorization layer to skip operator.approvals and operator.admin scope validation entirely.

AML.T0049

Unauthorized Agent Mutation

Attacker silently modifies plugins, MCP server configurations, allowlists, or ACP profiles without triggering any approval workflow or generating corresponding audit records.

AML.T0081

Persistence and Impact

Backdoored plugins or redirected MCP endpoints persist across all agent sessions, enabling ongoing data exfiltration, agent behavior manipulation, or supply chain compromise of downstream consumers of the agent platform.

AML.T0110

Authenticated Access

Attacker authenticates to OpenClaw using a compromised or legitimately held operator.write scope credential — the minimum privilege level required to trigger the bypass.

AML.T0012

Scope Bypass via Route Inheritance

Attacker sends a crafted payload through the Gateway chat.send route that invokes inherited external routes, causing the authorization layer to skip operator.approvals and operator.admin scope validation entirely.

AML.T0049

Unauthorized Agent Mutation

Attacker silently modifies plugins, MCP server configurations, allowlists, or ACP profiles without triggering any approval workflow or generating corresponding audit records.

AML.T0081

Persistence and Impact

Backdoored plugins or redirected MCP endpoints persist across all agent sessions, enabling ongoing data exfiltration, agent behavior manipulation, or supply chain compromise of downstream consumers of the agent platform.

AML.T0110

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch
4 dependents 87% patched ~0d to patch Full package profile →

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch: Upgrade OpenClaw to version 2026.5.18 or later — the patched release closes the scope inheritance bypass in the Gateway chat.send route.
Audit: Review all accounts with operator.write scope immediately; restrict grants to the minimum required set and revoke any overly broad assignments.
Detect: Review audit logs for plugin installations, MCP configuration changes, allowlist modifications, and ACP mutations — especially those lacking corresponding operator.approvals records, which are the forensic signature of exploitation.
Workaround (if immediate patching is not possible): Restrict network access to the Gateway chat.send route via API gateway rules or firewall controls until the patch can be applied.
Verify post-patch: Confirm that operator.write-scoped requests against protected routes correctly return authorization errors and that approval workflows are enforced.

Classification

Auth Bypass Code Execution Supply Chain Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration AML.T0107 - Exploitation for Defense Evasion AML.T0110 - AI Agent Tool Poisoning

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness, and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI system roles and responsibilities A.8.4 - Access control for AI systems

NIST AI RMF

GOVERN 1.2 - Accountability structures for AI risks

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35674?

OpenClaw's Gateway chat.send route contains a CWE-863 authorization flaw that lets any user with operator.write scope invoke privileged commands gated behind operator.approvals and operator.admin, giving a low-privilege operator full administrative control over plugins, MCP servers, allowlists, and agent configurations. The blast radius is significant: any OpenClaw deployment where operators are granted write scope is exposed to complete platform takeover, including silent modification of MCP tool configurations that could redirect agent behavior or introduce backdoored plugins without triggering any approval workflow. With CVSS 8.8, network-exploitable, no user interaction required, and trivial exploitation complexity, this is a realistic insider-threat and compromised-credential vector — no public exploit code or active exploitation has been observed, but the attack path requires only an existing operator.write credential and knowledge of the inherited route chain. Upgrade immediately to OpenClaw 2026.5.18 or later; as a stopgap, audit and restrict all operator.write scope grants and monitor for anomalous plugin or MCP configuration changes.

Is CVE-2026-35674 actively exploited?

No confirmed active exploitation of CVE-2026-35674 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35674?

1. Patch: Upgrade OpenClaw to version 2026.5.18 or later — the patched release closes the scope inheritance bypass in the Gateway chat.send route. 2. Audit: Review all accounts with operator.write scope immediately; restrict grants to the minimum required set and revoke any overly broad assignments. 3. Detect: Review audit logs for plugin installations, MCP configuration changes, allowlist modifications, and ACP mutations — especially those lacking corresponding operator.approvals records, which are the forensic signature of exploitation. 4. Workaround (if immediate patching is not possible): Restrict network access to the Gateway chat.send route via API gateway rules or firewall controls until the patch can be applied. 5. Verify post-patch: Confirm that operator.write-scoped requests against protected routes correctly return authorization errors and that approval workflows are enforced.

What systems are affected by CVE-2026-35674?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, MCP (Model Context Protocol) deployments, AI gateway and proxy architectures, Plugin-based AI systems, Multi-user AI agent platforms.

What is the CVSS score for CVE-2026-35674?

CVE-2026-35674 has a CVSS v3.1 base score of 8.8 (HIGH).

AI Security Impact

Affected AI Architectures

Agent frameworksMCP (Model Context Protocol) deploymentsAI gateway and proxy architecturesPlugin-based AI systemsMulti-user AI agent platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

AML.T0107 Exploitation for Defense Evasion

AML.T0110 AI Agent Tool Poisoning

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2, A.8.4

NIST AI RMF: GOVERN 1.2

OWASP LLM Top 10: LLM08:2025

Technical Details

Original Advisory

OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations.

Exploitation Scenario

An adversary with a compromised operator account holding operator.write scope authenticates to OpenClaw. Using the Gateway chat.send route, they craft a payload that invokes an inherited external route, causing the server to evaluate the request without applying the operator.approvals or operator.admin scope check. The attacker then installs a backdoored MCP server configuration pointing agent tool calls to attacker-controlled infrastructure, or deploys a plugin that intercepts conversation context and exfiltrates it externally. Because operator.approvals is bypassed, no approval workflow fires, no admin alert is generated, and the configuration change persists silently across all subsequent agent sessions.