CVE-2026-35649

OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access control denials and restoring previously revoked permissions.

More information : https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93