How is CVE-2026-35674 exploited?

Network reachability (required): The attacker must reach the OpenClaw Gateway chat.send route over the network. Authentication (required): A low-privilege token with operator.write scope is sufficient; no admin or approvals scope is required to trigger the bypass. Victim interaction (not-required): The attack runs against the Gateway directly with no user action involved. Attack complexity (info): AC:L indicates the exploit is reliable and has no environmental preconditions once a scoped token is held.

What is the impact of CVE-2026-35674?

Mutates plugin configuration, loading or altering code paths executed by the Gateway. Modifies server configuration, MCP settings, allowlists, and ACP rules that govern trust and access. Effectively escalates an operator.write token to full operator.admin authority, undermining the approvals workflow.

Back to search

HIGHCVE-2026-35674Published 2026-05-29Modified 2026-05-29CNA VulnCheck

CVE-2026-35674: OpenClaw < 2026.5.18 - Scope Bypass via Inherited chat.send Route

Q: What is CVE-2026-35674?

OpenClaw before 2026.5.18 has a scope bypass vulnerability in the Gateway chat.send route. An attacker with a low-privilege operator.write token can reach the route over the network and route privileged commands through inherited external routes, bypassing the operator.approvals and operator.admin scope checks. Successful exploitation lets the attacker mutate plugins, configuration, MCP settings, allowlists, and ACP rules without proper authorization. A patched-image rebuild at 2026.5.18 is available on HarborGuard for affected environments.

Q: How is CVE-2026-35674 fixed?

A patched-image rebuild at OpenClaw 2026.5.18 is available on HarborGuard. For customers who opt into auto-remediation, the rebuild is executed, regression tests are run, and a PR is opened against the affected workloads.

OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations.

HarborGuard Analysis

HarborGuard analysis

Synopsis

OpenClaw before 2026.5.18 has a scope bypass vulnerability in the Gateway chat.send route. An attacker with a low-privilege operator.write token can reach the route over the network and route privileged commands through inherited external routes, bypassing the operator.approvals and operator.admin scope checks. Successful exploitation lets the attacker mutate plugins, configuration, MCP settings, allowlists, and ACP rules without proper authorization. A patched-image rebuild at 2026.5.18 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-35674 is ingested from upstream feeds within minutes of publication and matched against OpenClaw images in customer registries and CI pipelines, including custom-built derivatives.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High), weighted by each customer org's compliance policy and routed to the inbox configured for that environment.

Available

Patch

A patched-image rebuild at OpenClaw 2026.5.18 is available on HarborGuard. For customers who opt into auto-remediation, the rebuild is executed, regression tests are run, and a PR is opened against the affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the OpenClaw Gateway chat.send route over the network.
AuthenticationRequired
A low-privilege token with operator.write scope is sufficient; no admin or approvals scope is required to trigger the bypass.
Victim interactionNot required
The attack runs against the Gateway directly with no user action involved.
Attack complexityDetail
AC:L indicates the exploit is reliable and has no environmental preconditions once a scoped token is held.

Blast Radius

Mutates plugin configuration, loading or altering code paths executed by the Gateway.
Modifies server configuration, MCP settings, allowlists, and ACP rules that govern trust and access.
Effectively escalates an operator.write token to full operator.admin authority, undermining the approvals workflow.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at OpenClaw 2026.5.18 is published as soon as the fix is ingested, and for environments with auto-remediation enabled the rebuild is executed, regression-tested, and delivered as a PR against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy gates auto-remediation, the rebuild is staged and the triage inbox is notified so an operator can approve the rollout; in the interim, restricting issuance of operator.write tokens and isolating the Gateway from untrusted callers via network policy are recommended compensating controls.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.5.18
Affected Products: 1

Fix available

2026.5.18

Affected packages

OpenClaw / OpenClaw
< 2026.5.18 (from 0)
Fixed in 2026.5.18

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available