CVE-2026-35655

Sažetak

OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution that trusts conflicting tool identity hints from rawInput and metadata. Attackers can spoof tool identities through rawInput parameters to suppress dangerous-tool prompting and bypass security restrictions.

Reference

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
https://github.com/openclaw/openclaw/commit/e4c61723cd2d530680cc61789311d464ab8cdf60
https://github.com/openclaw/openclaw/security/advisories/GHSA-74wf-h43j-vvmj
https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-rawinput-tool-in-acp-permission-resolution

CVSS

Base:	5.7
Impact:	3.6
Exploitability:	2.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Zadnje važnije ažuriranje

10-04-2026 - 17:17

Objavljeno

10-04-2026 - 17:17