CVE-2026-35664

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N                                    

Vulnerability Description

OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization.

Vulnerability Details

Published Date

April 10, 2026

Last Modified

April 13, 2026

CWE ID

CWE-288

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354
https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3
https://www.vulncheck.com/advisories/openclaw-dm-pairing-bypass-via-legacy-card-callbacks

CVE-2026-35664

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment