Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 5 npm packages depend on openclaw (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.22.
DescriptionCVE.org
OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.
AnalysisAI
OpenClaw before version 2026.3.22 allows policy bypass through unvalidated queued node actions, enabling attackers to execute unauthorized commands by exploiting stale allowlists or policy declarations that persist after policy changes. The vulnerability requires network access and high attack complexity but no authentication, resulting in integrity impact without exposing confidentiality or availability. No public exploit code or active exploitation has been confirmed.
Technical ContextAI
OpenClaw is a command execution and policy enforcement framework that manages node actions through a queuing mechanism. The vulnerability stems from CWE-367 (Time-of-check Time-of-use race condition), where queued actions are delivered without revalidation against the current command policy state. When administrators tighten access policies, previously queued commands may reference allowlists or policy declarations that no longer reflect the current security posture. The affected component (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) fails to validate queued node actions at execution time, allowing commands that should have been blocked by updated policies to proceed. This represents a logic flaw in the policy enforcement mechanism rather than a cryptographic or network protocol weakness.
RemediationAI
Vendor-released patch: OpenClaw 2026.3.22 or later. Users should upgrade immediately to the patched version. Two upstream commits (630f1479c44f78484dfa21bb407cbe6f171dac87 and ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2) document the fixes; these commits enforce revalidation of queued node actions against the current policy state before delivery. As a temporary workaround pending upgrade, administrators should flush or manually review pending queued actions whenever command policies are tightened, and implement process controls to verify that policy changes are applied to in-flight requests. Details are available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-policy-bypass-via-unvalidated-queued-node-actions.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21442