Medium severity6.5NVD Advisory· Published Apr 10, 2026· Updated Apr 13, 2026
CVE-2026-35657
CVE-2026-35657
Description
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.25 | 2026.3.25 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/openclaw/openclaw/commit/1c45123231516fa50f8cf8522ba5ff2fb2ca7aeanvdPatchWEB
- github.com/advisories/GHSA-5jvj-hxmh-6h6jghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-5jvj-hxmh-6h6jnvdVendor AdvisoryWEB
- www.vulncheck.com/advisories/openclaw-authorization-bypass-in-http-session-history-routenvdThird Party Advisory
News mentions
0No linked articles in our index yet.