EUVD-2026-21118

OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates...

CVE-2026-35631

OpenClaw vulnerable prior to version 2026.3.22: internal ACP chat commands fail to enforce operator.admin scope for mutating actions, allowing attackers without admin privileges to perform control-plane changes by direct command invocation. Impact: potential unauthorized modifications. Remediatio...

CVE-2026-35631

OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates...

PT-2026-31766

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw versions prior to 2026.3.22 do not properly enforce operator.admin scope on mutating internal ACP chat commands, which allows unauthorized modifications. Attackers without admin...

OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement

Fixed in OpenClaw 2026.3.24, the current shipping release. Title Mutating internal /allowlist chat commands missed operator.admin scope enforcement CWE CWE-862 Missing Authorization CVSS v3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base score: 6.5 Medium Severity Assessment Medium. This is a...