Medium severity4.2NVD Advisory· Published Apr 9, 2026· Updated Apr 17, 2026
CVE-2026-35624
CVE-2026-35624
Description
OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.22 | 2026.3.22 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87nvdPatchWEB
- github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66nvdPatchWEB
- github.com/advisories/GHSA-xhq5-45pm-2gjrghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-xhq5-45pm-2gjrnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-35624ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-policy-confusion-via-room-name-collision-in-nextcloud-talknvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.