OpenClaw CVE-2026-35669: The 4-CVE Chain Attack and Cross-Platform Mitigation Guide (April 2026)

Four CVEs. One Chain. Your Entire Agent Infrastructure.

Between Thursday evening and Friday morning, four vulnerabilities composed into a recipe for total infrastructure compromise — admin access, invisible operation, credential theft, and a persistent backdoor. No audit trail.

The OpenClaw project disclosed seven new CVEs between April 10-11, 2026. Three rated High, four rated Medium. The headline: CVE-2026-35669, a scope boundary bypass carrying a CVSS 8.8 score that allows any authenticated user to escalate privileges to operator.admin in a single request.

135,000+ — Internet-exposed OpenClaw instances
Source: NemoClaw Intelligence Fleet (NS-06)

That is not a theoretical attack. If you are running one, an attacker with basic authentication can own your entire agent infrastructure before your next standup.

Key Takeaway: Patches are available in OpenClaw versions 2026.3.25 and 2026.3.28. If you have not updated yet, stop reading and patch. Then come back.

The Chain That Matters

Individual CVEs tell part of the story. The real danger is the chain — and this is the analysis nobody else is publishing.

An attacker starts with CVE-2026-35669 (scope bypass → operator.admin). From admin, they exploit CVE-2026-35637 (audit log bypass) to operate invisibly — every subsequent action leaves no forensic trace. They use CVE-2026-32898 (path traversal) to read configuration files containing API keys and database credentials. Finally, CVE-2026-35629 (skill manifest injection) lets them install a persistent backdoor disguised as a "legitimate" skill.

Key Takeaway: Four CVEs. One chain. Complete compromise with no audit trail.

Could your instance survive this chain today? Here is how to test: run the scope boundary test from the tutorial. If it fails, everything downstream is compromised.

The Seven CVEs: Technical Breakdown

Ordered by severity:

CVE-2026-35669 — Scope Boundary Bypass (CVSS 8.8, High)

A flaw in the permission evaluation chain allows an authenticated user to bypass scope boundaries and escalate to operator.admin. Network-based, low complexity, no user interaction. This is the one that triggers incident response.

CVE-2026-35625 — Session Token Reuse (CVSS 7.5, High)

Expired session tokens remain valid under specific race conditions. A captured token can be reused indefinitely until server restart.

CVE-2026-35629 — Skill Manifest Injection (CVSS 7.2, High)

Malicious content in skill manifests injects arbitrary commands during skill loading.

1,184 — Malicious skills on ClawHub — roughly 1 in 12 published packages
Source: NemoClaw Intelligence Fleet (NS-07)

CVE-2026-35637 — Audit Log Bypass (CVSS 6.5, Medium)

Specific API call patterns execute without generating audit entries. For organizations mapping to NIST AI RMF or SOX controls, this breaks your audit trail and compliance posture.

CVE-2026-35638 — Memory Leak in Long-Running Sessions (CVSS 5.3, Medium)

Agent sessions over 4 hours exhibit progressive memory leaks leading to denial of service. Compounds with WebSocket timeout issues from OpenShell Issue #409.

CVE-2026-33579 — Cross-Skill Data Leakage (CVSS 5.8, Medium)

Data intended for one skill readable by another in the same session under specific timing conditions. In multi-tenant deployments: customer A's data leaks to customer B's agent.

CVE-2026-32898 — Configuration File Path Traversal (CVSS 4.3, Medium)

Crafted configuration parameters allow reading arbitrary host files. Combined with CVE-2026-35669's privilege escalation, this becomes full filesystem read.

Chain Variants: The Three Independent Risks

The remaining CVEs don't extend the primary chain but represent independent attack surfaces: CVE-2026-35625 (session token reuse) amplifies initial access by extending the exploitation window. CVE-2026-35638 (memory leak DoS) provides availability impact for distraction during the chain attack. CVE-2026-33579 (cross-skill data leakage) adds a confidentiality dimension in multi-tenant deployments — valuable reconnaissance for selecting high-value targets before executing the chain.

Cross-Platform Mitigation: NemoClaw, NanoClaw, and IronClaw

I run the ADAS-Evolved multi-agent framework with daily security intelligence gathering across all three platforms. Here is how each handles these specific attack vectors.

NemoClaw (NVIDIA) — Kernel-Level, Five-Layer Security

NemoClaw enforces security at the kernel level rather than in userspace. CVE-2026-35669's scope bypass is architecturally impossible — scope boundaries are OS-level constraints, not application logic. Skill manifest injection (35629) fails against cryptographic signature verification. NemoClaw v0.3.2 (April 8) added experimental egress logging at the kernel layer, where application code cannot suppress it. Limitation: still in alpha.

NanoClaw — Docker Isolation, Lightweight

Each agent runs in its own Docker container. Scope bypass within one container does not grant access to others. Cross-skill data leakage (33579) is eliminated by container boundaries. Limitation: Docker isolation is userspace-based. The April 2026 sandbox escape wave demonstrated four container escapes in seven days.

IronClaw — Rust + TEE + WebAssembly

TEE-enforced permissions hold even if the application layer is fully compromised. Path traversal (32898) is impossible — WebAssembly provides no filesystem access by default. Limitation: requires Intel SGX/TDX or AMD SEV hardware.

The Gap All Three Miss

None address agent evolution — the ability for agents to improve their own code while maintaining security invariants. This is the gap ADAS-Evolved fills. When your agent modifies its own behavior (mutation, crossover, selection), the security model must evolve with it. Static sandboxing assumes the workload does not change. Self-evolving agents break that assumption.

2,400+ — Evolution cycles confirming self-evolving agent security as a real attack surface
Source: ADAS-Evolved internal data

What To Do Right Now

Immediate (today):

1. Patch to OpenClaw 2026.3.25 or 2026.3.28

2. Rotate all API keys and session tokens (CVE-2026-35625)

3. Audit ClawHub skill dependencies — remove unverified publishers

Quick scope boundary test:

curl -s -o /dev/null -w "%{http_code}" \\
  -X POST "$OPENCLAW_URL/api/v1/skills/install" \\
  -H "Authorization: Bearer $READONLY_TOKEN" \\
  -H "Content-Type: application/json" \\
  -d '{"skill": "test-probe", "dry_run": true}'
# Expected: 403. If you get 200, you're exposed.

This week:

1. Review audit logs for gaps — CVE-2026-35637 means pre-patch actions may be missing

2. Run the full 20-minute CVE chain audit

This month:

1. Evaluate platform migration. 138 total CVEs, 7 new in 48 hours — factor this cadence into your platform decision.

2. Consider hardening-in-place: network isolation, skill sandboxing, and audit logging as an overlay while you evaluate NemoClaw, NanoClaw, or IronClaw.

The Bigger Pattern

The OpenClaw ecosystem has accumulated 138 CVEs. The disclosure cadence is accelerating — seven in 48 hours is the highest rate tracked. The community-first skill distribution model has created a supply chain problem at scale (1,184 malicious skills and counting). The 35-63% vulnerability rate among internet-exposed instances means more deployments are vulnerable than not.

$11-14 billion — AI consulting market projected for 2026 with 26.2% CAGR
Source: Verified Market Research

A significant share of that spend will be remediation. And with NIST AI RMF now establishing audit trail integrity as a compliance requirement, CVE-2026-35637 alone creates regulatory exposure.

Key Takeaway: Chain analysis, not individual CVE scores, reveals the real risk to your agent infrastructure. The question is not whether to act. The question is whether you act now, on your terms, or later, on an attacker's.

Liam McCarthy builds agent security infrastructure at Reality (aireality.io). The ADAS-Evolved framework provides self-evolving multi-agent orchestration with security-by-design. Need an emergency security assessment? Email lm@aireality.io — assessments ship in 24 hours.