What is CVE-2026-35654?

CVE-2026-35654 is a medium-severity vulnerability in Openclaw, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 5.3/10. Published 2026-04-10.

How severe is CVE-2026-35654?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Openclaw

CVE-2026-35654

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endp…

EPSS: 0.000 (12.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Openclaw — versions 0, 2026.3.25

Weakness classification (CWE)

CWE-288 — Authentication Bypass Using an Alternate Path or Channel

References

GitHub Security Advisory (GHSA-rf6h-5gpw-qrgq) (third-party-advisory)
Patch Commit (patch)
VulnCheck Advisory: OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke (third-party-advisory)

Frequently asked questions

What is CVE-2026-35654?: CVE-2026-35654 is a medium-severity vulnerability in Openclaw, classified under Authentication Bypass Using an Alternate Path or Channel. CVSS score: 5.3/10. Published 2026-04-10.
How severe is CVE-2026-35654?: Medium severity. CVSS v3 base score is 5.3 out of 10.