Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 npm packages depend on openclaw (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.22.
DescriptionCVE.org
OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation occurs.
AnalysisAI
OpenClaw before version 2026.3.22 performs cite expansion before completing channel and direct message authorization checks, allowing unauthenticated remote attackers to access or manipulate content prior to authorization validation. This timing vulnerability exposes information disclosure and potential content tampering risks due to premature processing of cite operations that bypass security boundaries.
Technical ContextAI
OpenClaw's cite expansion mechanism processes and resolves citations within messages before the authorization layer has fully validated whether the requesting user has permission to access the referenced channel or direct message content. The vulnerability stems from an order-of-operations flaw (CWE-696: Incorrect Behavior Order) where cite dereferencing occurs during message handling prior to completion of access control checks. The cite expansion feature likely resolves references to external content, but when executed prematurely in the request processing pipeline, it exposes underlying content regardless of the user's authorization status for that content. This affects all versions of OpenClaw prior to 2026.3.22, as identified by the CPE string cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade OpenClaw to version 2026.3.22 or later to resolve the cite expansion authorization bypass. The vendor has released patched versions incorporating multiple fixes committed to the repository (commits 630f1479c44f78484dfa21bb407cbe6f171dac87, 3cbf932413e41d1836cb91aed1541a28a3122f93, and ebee4e2210e1f282a982c7ef2ad79d77a572fc87) that reorder authorization checks to complete before cite expansion operations. For additional context and technical details, consult the vendor security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-premature-cite-expansion-before-authorization-in-channel-and-dm.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-696 – Incorrect Behavior Order
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21130
GHSA-p6j4-wvmc-vx2h