Vulnerability in Openclaw
CVE-2026-35617
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names t…
EPSS: 0.001 (20.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.2 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N.
Affected products
- Openclaw — versions 0, 2026.3.25
Weakness classification (CWE)
References
- GitHub Security Advisory (GHSA-52q4-3xjc-6778) (third-party-advisory)
- Patch Commit (patch)
- VulnCheck Advisory: OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName (third-party-advisory)
Frequently asked questions
- What is CVE-2026-35617?
- CVE-2026-35617 is a medium-severity vulnerability in Openclaw, classified under CWE-807. CVSS score: 4.2/10. Published 2026-04-09.
- How severe is CVE-2026-35617?
- Medium severity. CVSS v3 base score is 4.2 out of 10.