CVE-2026-35627
Published: 09 April 2026
Summary
CVE-2026-35627 is a medium-severity Incorrect Behavior Order (CWE-696) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved access policies including sender and pairing validation before logical access to perform cryptographic and dispatch operations on inbound Nostr DMs.
Validates inbound Nostr DMs for policy compliance at system entry points prior to resource-intensive cryptographic processing, preventing unauthorized computation.
Provides denial-of-service protections against resource exhaustion triggered by crafted pre-authentication DMs causing excessive CPU workloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated attackers to cause resource exhaustion (CPU via pre-validation crypto/dispatch ops on crafted Nostr DMs), directly mapping to Endpoint Denial of Service via Application or System Exploitation.
NVD Description
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.
Deeper analysisAI
CVE-2026-35627 affects OpenClaw versions prior to 2026.3.22, specifically in the handling of inbound Nostr direct messages (DMs). The vulnerability arises because the software performs cryptographic operations and dispatch processing on these messages before enforcing sender and pairing policy validation, violating CWE-696 (Incorrect Behavior Order). This misordered logic allows unauthorized pre-authentication computation, as scored at CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating network-accessible exploitation with low complexity and no privileges required.
Attackers can exploit this remotely without authentication by sending crafted DMs to any vulnerable OpenClaw instance exposed to untrusted networks. Successful exploitation triggers excessive cryptographic workloads and resource-intensive dispatch operations, leading to denial of service through exhaustion of CPU and other resources. The impact includes low-level integrity disruption (I:L) alongside availability impairment (A:L), potentially degrading service for legitimate users.
Mitigation is available via patches in OpenClaw commits 1ee9611079e81b9122f4bed01abb3d9f56206c77 and 630f1479c44f78484dfa21bb407cbe6f171dac87, which reorder validation ahead of computation. The GitHub security advisory (GHSA-65h8-27jh-q8wv) and VulnCheck advisory detail the fix, recommending immediate upgrade to OpenClaw 2026.3.22 or later for affected deployments handling Nostr DMs.
Details
- CWE(s)