CVE-2026-35663
Published: 10 April 2026
Summary
CVE-2026-35663 is a high-severity Incorrect Use of Privileged APIs (CWE-648) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege by restricting non-admin operators from self-requesting or obtaining broader admin scopes during backend reconnects.
Requires enforcement of approved access authorizations to block unauthorized privilege escalation via self-claimed scopes on reconnect.
Mandates re-authentication prior to privilege changes, preventing bypass of pairing requirements during backend reconnects to gain admin access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE explicitly describes a privilege escalation vulnerability allowing non-admin operators to bypass restrictions and gain administrative privileges via self-requested broader scopes during reconnects.
NVD Description
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.
Deeper analysisAI
CVE-2026-35663, published on 2026-04-10, is a privilege escalation vulnerability in OpenClaw versions before 2026.3.25. It enables non-admin operators to self-request broader scopes during backend reconnects, bypassing pairing requirements to reconnect as operator.admin and gain unauthorized administrative privileges. The issue is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-648.
Low-privileged users, specifically non-admin operators, can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to elevate privileges to full administrative access, potentially compromising confidentiality, integrity, and availability of the affected system to a high degree.
Advisories recommend upgrading to OpenClaw 2026.3.25 or later, where the vulnerability is addressed via a fix in GitHub commit d3d8e316bd819d3c7e34253aeb7eccb2510f5f48. Further details on the issue and remediation are available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim.
Details
- CWE(s)