Cyber Resilience

CVE-2026-35627

MediumPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 36.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-35627 is a medium-severity Incorrect Behavior Order (CWE-696) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-35627 affects OpenClaw versions prior to 2026.3.22, specifically in the handling of inbound Nostr direct messages (DMs). The vulnerability arises because the software performs cryptographic operations and dispatch processing on these messages before enforcing sender and pairing policy validation, violating CWE-696 (Incorrect Behavior Order). This misordered logic allows unauthorized pre-authentication computation, as scored at CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating network-accessible exploitation with low complexity and no privileges required.

Attackers can exploit this remotely without authentication by sending crafted DMs to any vulnerable OpenClaw instance exposed to untrusted networks. Successful exploitation triggers excessive cryptographic workloads and resource-intensive dispatch operations, leading to denial of service through exhaustion of CPU and other resources. The impact includes low-level integrity disruption (I:L) alongside availability impairment (A:L), potentially degrading service for legitimate users.

Mitigation is available via patches in OpenClaw commits 1ee9611079e81b9122f4bed01abb3d9f56206c77 and 630f1479c44f78484dfa21bb407cbe6f171dac87, which reorder validation ahead of computation. The GitHub security advisory (GHSA-65h8-27jh-q8wv) and VulnCheck advisory detail the fix, recommending immediate upgrade to OpenClaw 2026.3.22 or later for affected deployments handling Nostr DMs.

EU & UK References

Vulnerability details

OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables remote unauthenticated attackers to cause resource exhaustion (CPU via pre-validation crypto/dispatch ops on crafted Nostr DMs), directly mapping to Endpoint Denial of Service via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35640Same product: Openclaw Openclaw
CVE-2026-35637Same product: Openclaw Openclaw
CVE-2026-41400Same product: Openclaw Openclaw
CVE-2026-35652Same product: Openclaw Openclaw
CVE-2026-29612Same product: Openclaw Openclaw
CVE-2026-22178Same product: Openclaw Openclaw
CVE-2026-28461Same product: Openclaw Openclaw
CVE-2026-32049Same product: Openclaw Openclaw
CVE-2026-41405Same product: Openclaw Openclaw
CVE-2026-32011Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access policies including sender and pairing validation before logical access to perform cryptographic and dispatch operations on inbound Nostr DMs.

prevent

Validates inbound Nostr DMs for policy compliance at system entry points prior to resource-intensive cryptographic processing, preventing unauthorized computation.

prevent

Provides denial-of-service protections against resource exhaustion triggered by crafted pre-authentication DMs causing excessive CPU workloads.

References