What is CVE-2026-35647?

CVE-2026-35647 is a medium-severity vulnerability in Openclaw, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 5.3/10. Published 2026-04-10.

How severe is CVE-2026-35647?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Openclaw

CVE-2026-35647

OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by…

EPSS: 0.000 (12.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Openclaw — versions 0, 2026.3.25

Weakness classification (CWE)

CWE-288 — Authentication Bypass Using an Alternate Path or Channel

References

GitHub Security Advisory (GHSA-9wqx-g2cw-vc7r) (third-party-advisory)
Patch Commit (patch)
VulnCheck Advisory: OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices (third-party-advisory)

Frequently asked questions

What is CVE-2026-35647?: CVE-2026-35647 is a medium-severity vulnerability in Openclaw, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 5.3/10. Published 2026-04-10.
How severe is CVE-2026-35647?: Medium severity. CVSS v3 base score is 5.3 out of 10.