6.9
/ 10
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Description
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state.
Basic Information
ID
CVE-2026-35661
Source
VulnCheck
Published
Apr 10, 2026 at 16:03
Modified
Apr 10, 2026 at 20:18
Affected Product
Vendor
OpenClaw
Product
OpenClaw
Affected Versions
OpenClaw OpenClaw 0