CVE-2026-35624

| EUVD-2026-21106 LOW
2026-04-09 VulnCheck GHSA-5f7h-p83x-5vc2
2.3
CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 09, 2026 - 21:45 vuln.today
EUVD ID Assigned
Apr 09, 2026 - 21:45 euvd
EUVD-2026-21106
Patch Released
Apr 09, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 09, 2026 - 21:26 nvd
LOW 2.3

Tags

Authentication Bypass Openclaw

Description

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.

Analysis

OpenClaw before version 2026.3.22 uses room names instead of stable tokens for Nextcloud Talk room authorization, allowing authenticated attackers to bypass allowlist policies by creating similarly named rooms and gaining unauthorized access to protected conversations. The vulnerability requires low privileges and high attack complexity but poses a direct confidentiality and integrity risk to room access controls. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

12
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +12
POC: 0

Share

CVE-2026-35624 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy