CVE-2026-35627

MediumPublic PoC

Published: 09 April 2026

Published

09 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0011 29.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved access policies including sender and pairing validation before logical access to perform cryptographic and dispatch operations on inbound Nostr DMs.

SI-10 Information Input Validation good match

prevent

Validates inbound Nostr DMs for policy compliance at system entry points prior to resource-intensive cryptographic processing, preventing unauthorized computation.

SC-5 Denial-of-service Protection good match

prevent

Provides denial-of-service protections against resource exhaustion triggered by crafted pre-authentication DMs causing excessive CPU workloads.

Security SummaryAI

CVE-2026-35627 affects OpenClaw versions prior to 2026.3.22, specifically in the handling of inbound Nostr direct messages (DMs). The vulnerability arises because the software performs cryptographic operations and dispatch processing on these messages before enforcing sender and pairing policy validation, violating CWE-696 (Incorrect Behavior Order). This misordered logic allows unauthorized pre-authentication computation, as scored at CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating network-accessible exploitation with low complexity and no privileges required.

Attackers can exploit this remotely without authentication by sending crafted DMs to any vulnerable OpenClaw instance exposed to untrusted networks. Successful exploitation triggers excessive cryptographic workloads and resource-intensive dispatch operations, leading to denial of service through exhaustion of CPU and other resources. The impact includes low-level integrity disruption (I:L) alongside availability impairment (A:L), potentially degrading service for legitimate users.

Mitigation is available via patches in OpenClaw commits 1ee9611079e81b9122f4bed01abb3d9f56206c77 and 630f1479c44f78484dfa21bb407cbe6f171dac87, which reorder validation ahead of computation. The GitHub security advisory (GHSA-65h8-27jh-q8wv) and VulnCheck advisory detail the fix, recommending immediate upgrade to OpenClaw 2026.3.22 or later for affected deployments handling Nostr DMs.

Details

CWE(s): CWE-696

Affected Products

openclaw

≤ 2026.3.22

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote unauthenticated attackers to cause resource exhaustion (CPU via pre-validation crypto/dispatch ops on crafted Nostr DMs), directly mapping to Endpoint Denial of Service via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling
Third Party Advisory · disclosure@vulncheck.com