What is CVE-2026-35655?

CVE-2026-35655 is a medium-severity vulnerability in Openclaw, classified under CWE-807. CVSS score: 5.7/10. Published 2026-04-10.

How severe is CVE-2026-35655?

Medium severity. CVSS v3 base score is 5.7 out of 10.

Vulnerability in Openclaw

CVE-2026-35655

OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution that trusts conflicting tool identity hints from rawInput and metadata. Attackers can spoof tool identities through rawInput parameters to s…

EPSS: 0.000 (14.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.7 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N.

Affected products

Openclaw — versions 0, 2026.3.22

Weakness classification (CWE)

CWE-807

References

GitHub Security Advisory (GHSA-74wf-h43j-vvmj) (third-party-advisory)
Patch Commit #1 (patch)
Patch Commit #2 (patch)
VulnCheck Advisory: OpenClaw < 2026.3.22 - Identity Spoofing via rawInput Tool in ACP Permission Resolution (third-party-advisory)

Frequently asked questions

What is CVE-2026-35655?: CVE-2026-35655 is a medium-severity vulnerability in Openclaw, classified under CWE-807. CVSS score: 5.7/10. Published 2026-04-10.
How severe is CVE-2026-35655?: Medium severity. CVSS v3 base score is 5.7 out of 10.