Medium severity4.3NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026

CVE-2026-35642

Description

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted.

Affected products

OpenClaw/Openclaw
cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Range: <2026.3.25

Patches

f8c986307852

https://github.com/openclaw/openclawvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cedenvdPatch
github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7nvdVendor Advisory
www.vulncheck.com/advisories/openclaw-authorization-bypass-in-group-reactions-via-requiremention-bypassnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000