EUVD-2026-21118

Q: Is Openclaw affected by EUVD-2026-21118?

OpenClaw versions before 2026.3.22 contain an authorization bypass that permits authenticated low-privilege users to execute administrative operations, enabling lateral privilege escalation to system-wide control-plane functions.

| CVE-2026-35631 HIGH

2026-04-09 VulnCheck

GHSA-3xcc-5274-wv65

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 09, 2026 - 21:45 euvd

EUVD-2026-21118

Analysis Generated

Apr 09, 2026 - 21:45 vuln.today

Patch Released

Apr 09, 2026 - 21:45 nvd

Patch available

CVE Published

Apr 09, 2026 - 21:27 nvd

HIGH 7.1

Description

OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates.

Analysis

Authorization bypass in OpenClaw versions prior to 2026.3.22 allows authenticated low-privilege users to execute administrative control-plane operations through internal ACP chat commands. The vulnerability stems from missing operator.admin scope enforcement on mutating commands, enabling unauthorized users to invoke privileged actions that modify system configuration or state. …

Remediation

Within 24 hours: Identify all OpenClaw deployments and current versions via asset inventory; verify which systems run versions prior to 2026.3.22. Within 7 days: Apply vendor-released patch to OpenClaw 2026.3.22 or later across all affected instances; prioritize control-plane and production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

EUVD-2026-21118 vulnerability details – vuln.today

Back

EUVD-2026-21118

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-21118

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code