Security Advisory

CVE-2026-35621

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-10 16:03:09
Last updated 2026-06-23 16:15:47
Assigner VulnCheck
State PUBLISHED

Description

OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal command-authorized context and persist channel allowFrom and groupAllowFrom policy changes reserved for operator.admin scope.