Listen to this Post
How CVE-2026-35674 Works
OpenClaw before version 2026.5.18 contains a scope bypass vulnerability in the Gateway `chat.send` route that allows scoped clients to execute privileged commands. The vulnerability arises from improper privilege validation (CWE-863), where the system fails to correctly enforce scope requirements when handling commands delivered through inherited external routes.
In affected releases, certain internal command handlers require `operator.approvals` or `operator.admin` scopes to execute. However, a scoped Gateway `chat.send` request delivered through an inherited external route could be evaluated as an external-channel command while still carrying the lower Gateway client scopes. This means that an attacker with only `operator.write` scope can send commands through these inherited routes and bypass the standard `operator.approvals` and `operator.admin` restrictions.
The attack leverages the Gateway’s routing mechanism: when a `chat.send` request is processed, the system evaluates it based on the delivery route rather than the originating client’s actual scope. If the session has an inherited external delivery route, the command is treated with elevated privileges, allowing the caller to execute administrative actions they would not normally have permission to perform.
Affected command families include approval resolution and selected administrative commands such as plugin, config, MCP, allowlist, and `ACP` mutations. This effectively grants remote actors the ability to elevate their privileges within the system. The vulnerability affects all OpenClaw releases before the 2026.5.18 update and requires only the ability to obtain `operator.write` scope to exploit.
The CVSS score of 8.7 marks this as a high-severity problem. Once `operator.write` scope is achievable, the attack is straightforward and can be executed remotely over the exposed Gateway interface. The fix is implemented in version 2026.5.18, where the `chat.send` route enforces proper scope checks.
DailyCVE Form
| Field | Value |
|-|-|
| Platform | OpenClaw |
| Version | < 2026.5.18 |
| Vulnerability | Scope Bypass |
| Severity | High (8.7) |
| Date | 2026-05-18 |
| Prediction | 2026-05-18 |
What Undercode Say
Analytics:
Check current OpenClaw version
npm list openclaw
Search for chat.send route handling in source
grep -r "chat.send" node_modules/openclaw/ --include=".js" | grep -i "scope"
Audit Gateway scope enforcement
curl -X POST http://localhost:3000/gateway/chat.send \
-H "Authorization: Bearer <operator_write_token>" \
-d '{"route":"inherited_external","command":"/config set"}' \
-v
Monitor for suspicious /config, /plugin, /allowlist commands in logs
tail -f /var/log/openclaw/gateway.log | grep -E "(config|plugin|allowlist|MCP|ACP)"
Detection Rule (Pseudocode):
IF session.route == "inherited_external" AND client.scope == "operator.write" AND command IN ["/config", "/plugin", "/allowlist", "/MCP", "/ACP"] THEN ALERT "Potential CVE-2026-35674 exploitation detected"
Exploit
An attacker with `operator.write` scope can:
- Craft a `chat.send` request targeting a session with an inherited external delivery route.
- Include a privileged command such as
/config set,/plugin install, or `/allowlist add` in the payload. - The Gateway evaluates the command as an external-channel command, bypassing `operator.approvals` and `operator.admin` checks.
- The command executes with elevated privileges, allowing unauthorized plugin installation, configuration modification, MCP manipulation, and allowlist/ACP alterations.
Example Exploit Payload:
POST /gateway/chat.send
Authorization: Bearer <operator_write_token>
{
"session_id": "session_with_inherited_external_route",
"command": "/plugin install malicious-plugin",
"route": "inherited_external"
}
Protection
- Upgrade OpenClaw to version 2026.5.18 or later, where the `chat.send` route enforces proper scope checks.
- Reconfigure the Gateway to disable inherited external routes for users with `operator.write` scope.
- Review and restrict `operator.write` permissions to minimize the attack surface.
- Enforce an approval workflow for any plugin or configuration changes.
- Avoid granting `operator.write` tokens to clients that can deliver commands into sessions with external routes unless those clients are trusted with admin-like command effects.
Impact
- Privilege Escalation: Attackers with only `operator.write` scope can execute commands requiring `operator.approvals` or
operator.admin. - Unauthorized Administrative Actions: Installation of plugins, modification of configuration, manipulation of MCPs, and alteration of allowlists and ACP entries.
- Remote Exploitation: The attack can be executed remotely over the exposed Gateway interface.
- High Severity: CVSS score of 8.7, indicating a critical risk to affected deployments.
- Wide Affected Range: All OpenClaw releases before version 2026.5.18 are vulnerable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

