Is Openclaw affected by EUVD-2026-21132?

CVE-2026-35638 is a high-severity privilege escalation vulnerability in OpenClaw Control UI (versions prior to 2026.3.22) that allows attackers to bypass authentication and assume arbitrary administrative privileges, potentially enabling unauthorized access to sensitive systems and data.

EUVD-2026-21132

| CVE-2026-35638 HIGH

2026-04-09 VulnCheck

GHSA-q49f-7fgv-7hx8

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 09, 2026 - 21:45 euvd

EUVD-2026-21132

Analysis Generated

Apr 09, 2026 - 21:45 vuln.today

Patch Released

Apr 09, 2026 - 21:45 nvd

Patch available

CVE Published

Apr 09, 2026 - 21:27 nvd

HIGH 8.7

Description

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.

Analysis

Privilege escalation in OpenClaw Control UI enables unauthenticated attackers to claim arbitrary privileged scopes without device identity verification. By exploiting the trusted-proxy mechanism's device-less allow path, attackers bypass authentication requirements and maintain elevated permissions across sessions. …

Remediation

Within 24 hours: Inventory all OpenClaw deployments and identify systems running versions prior to 2026.3.22. Within 7 days: Apply vendor-released patch to upgrade all affected OpenClaw instances to version 2026.3.22 or later; coordinate patching to minimize operational disruption. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

EUVD-2026-21132 vulnerability details – vuln.today

Back

EUVD-2026-21132

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-21132

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code