Skip to main content

Canonical CVE-2026-35636

| EUVD-2026-21128 HIGH
Incorrect Behavior Order (CWE-696)
2026-04-09 VulnCheck GHSA-55rv-68q5-wxmq
Authentication Bypass Canonical
7.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 20:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 21:45 euvd
EUVD-2026-21128
Analysis Generated
Apr 09, 2026 - 21:45 vuln.today
Patch released
Apr 09, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 09, 2026 - 21:27 nvd
HIGH 7.1

DescriptionNVD

OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.

AnalysisAI

Session isolation bypass in OpenClaw 2026.3.11 through 2026.3.24 allows authenticated attackers to access parent or sibling sessions bypassing visibility restrictions. The vulnerability exploits session_status logic that resolves sessionId to canonical session keys before enforcing explicit sessionKey-based access controls, enabling sandboxed child sessions to read data from sessions they should not access. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all OpenClaw deployments and confirm versions in use (2026.3.11-2026.3.24 are affected). Within 7 days: Upgrade to the patched version released by the vendor (confirm exact version number from vendor advisory). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-49238 HIGH
8.4 May 28

Virtual machine escape in Canonical Multipass before 1.16.3 allows a root user inside a guest VM to read arbitrary files
CVE-2026-49237 HIGH
7.8 May 28

Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain r
CVE-2026-42790 HIGH
7.6 May 27

TLS server impersonation in Erlang/OTP's public_key library lets a name-constrained subordinate CA forge a trusted ident
CVE-2026-42462 HIGH
7.0 May 26

Here is the multi-source synthesis for CVE-2026-42462: ```json { "product_name": "Fedify", "summary": "Linked Data

CVE-2026-47674 MEDIUM
5.3 May 28

IP restriction bypass in Hono's ip-restriction middleware (hono/ip-restriction) prior to version 4.12.21 allows unauthen

Share

CVE-2026-35636 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy