// For flags

CVE-2026-35625

OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect

Severity Score

8.5
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local reconnection to silently escalate privileges and achieve remote code execution on the node.

*Credits: Peng Zhou (@zpbrent)
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
High
None
Integrity
High
None
Availability
High
None
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2026-04-04 CVE Reserved
  • 2026-04-09 CVE Published
  • 2026-04-10 EPSS Updated
  • 2026-04-13 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-648: Incorrect Use of Privileged APIs
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
OpenClaw
Search vendor "OpenClaw"
 OpenClaw
Search vendor "OpenClaw" for product "OpenClaw"
 < 2026.3.25
Search vendor "OpenClaw" for product "OpenClaw" and version " < 2026.3.25"
en
Affected