What are the four new OpenClaw CVEs disclosed in April 2026?

CVE-2026-35669 (gateway privilege escalation, CVSS 8.8), CVE-2026-35625 (silent shared-auth scope upgrade), CVE-2026-35668 (sandbox path traversal), and CVE-2026-35629 (SSRF in channel extensions).

What OpenClaw versions are affected by the April 2026 CVEs?

All versions before v2026.3.25. Users should upgrade to 2026.3.25 or later immediately.

How severe is CVE-2026-35669?

CVSS 8.8 (High). It allows authenticated users to escalate to operator.admin via gateway plugin HTTP routes with low attack complexity and no user interaction.

Can CVE-2026-35668 expose API keys?

Yes. The sandbox path traversal lets agents read arbitrary files from other agents' workspaces, including API keys and configuration data outside their sandbox roots.

How many total OpenClaw CVEs exist as of April 2026?

The jgamblin/OpenClawCVEs tracker documents 139 security advisories with 15 published CVEs, 124 awaiting assignment. 41% are rated High or Critical.

← Back to dashboard

clawsmith.com/signal/openclaw-april-2026-cve-batch-four-high-severity-vulns

⚠ IssueUnknownCoreLive

Four New High-Severity OpenClaw CVEs Disclosed in April 2026: Gateway Privilege Escalation, Sandbox Escape, SSRF

CVE-2026-35669 (CVSS 8.8 gateway privilege escalation), CVE-2026-35625 (silent shared-auth scope upgrade to admin), CVE-2026-35668 (sandbox path traversal reads other agents' API keys), and CVE-2026-35629 (SSRF in channel extensions). All affect versions before v2026.3.25.

Product Idea from this Signal

A reverse proxy that enforces scope boundaries on OpenClaw gateway plugin routes and normalizes sandbox file paths before forwarding

916 ▲

OpenClaw's gateway plugin HTTP routes have a class of vulnerabilities where authenticated callers can escalate to operator.admin scope regardless of their actual permissions (CVE-2026-35669, CVSS 8.8), and sandboxed agents can read arbitrary files across workspaces through unnormalized path parameters (CVE-2026-35668). With 135K+ OpenClaw instances publicly exposed and six new HIGH-severity CVEs disclosed in April 2026 alone, a standalone reverse proxy that sits in front of the gateway and validates every plugin route call against the caller's granted scopes, while normalizing all file path parameters including mediaUrl and fileUrl aliases, would close these attack vectors without waiting for upstream patches.

SECURITYPROXYOPEN-SOURCEDEVTOOL

CompetitiveView Opportunity →

Product Idea from this Signal

A security service that auto-patches OpenClaw CVEs within hours of disclosure before attackers exploit them

4.4k ▲

OpenClaw shipped 9 CVEs in 4 days (March 2026) including a CVSS 9.9 privilege escalation affecting 135K+ exposed instances. Most operators have no way to know which CVEs affect their version, no automated patching, and no coordination between the flood of advisories (156+ total) and their actual attack surface. This tool continuously monitors CVE feeds, maps each advisory to your installed version and enabled features, and applies safe mitigations automatically while queuing risky patches for human approval.

SECURITYCLIDEVTOOLOPEN-SOURCESYSADMIN

CompetitiveView Opportunity →

Product Idea from this Signal

A background service that maps your OpenClaw version, enabled plugins, and network exposure against the CVE feed and outputs a real-time security posture score with a ranked remediation queue

288 ▲

139 security advisories in 63 days means OpenClaw operators face 2.2 new CVEs daily. 41% are rated High or Critical. ClawSec (894 stars) monitors for known threats and polls NVD, but every advisory is presented equally regardless of whether it applies to your setup. Operators running Telegram-only agents waste time triaging Slack channel CVEs that cannot affect them. This service fingerprints your exact deployment (version, channels, skills, network bindings) and scores each incoming CVE on actual exploitability in your environment, so your remediation queue contains only what matters.

BACKGROUND-SERVICESECURITYSAASDEVTOOL

CompetitiveView Opportunity →