CVE-2026-35618
Published: 09 April 2026
Summary
CVE-2026-35618 is a high-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21103
Vulnerability details
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the…
more
canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypass of replay protection in API signature verification enables exploitation of the public-facing service via replayed/modified requests (CWE-294).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Allows detection of capture-replay attacks by showing the replayed logon's timestamp as the last logon.
Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels.
Wireless link protections commonly incorporate replay protection, reducing the exploitability of capture-replay weaknesses.
Accurate synchronized time enables tight timestamp windows that directly limit capture-replay windows in authentication protocols.