CVE-2026-35636

Name: CVE-2026-35636 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2026-35636

MEDIUM

CVSS v3.1: 6.5 · EPSS: 0.0003 (9.3 percentile)

NetworkNo user interactionVendor advisory ref

Source data as of: 2026-04-17 06:05:21 UTC

At a glance

Severity: MEDIUM
CVSS: 6.5 v3.1 · NVD
EPSS: 0.0003 (9.3 percentile) · FIRST.org
CISA KEV: No
Attack conditions (CVSS vector): NetworkNo user interaction · Source: NVD Vector
Affected vendors: openclaw
Published: 2026-04-09 · Modified: 2026-04-16
References: Jump to references (3)

CVSS / EPSS / KEV

CVSS v3.1 6.5 / 10 MEDIUM Source: NVD

CVSS v4.0 7.1 / 10 HIGH Source: NVD

EPSS 0.0003 9.3 percentile Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.

Record details

CVE ID: CVE-2026-35636
CVSS (v3.1): 6.5 (MEDIUM)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Exploitability subscore: 2.8
Impact subscore: 3.6
EPSS: 0.0003 (9.3 percentile) — 2026-04-17
CISA KEV: No
Weakness (CWE): CWE-696
Affected vendors: openclaw
Affected configurations (CPE): 1
Published: 2026-04-09
Modified: 2026-04-16
Status: Analyzed

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

← Back to all records

CVE-2026-35636

At a glance

CVSS / EPSS / KEV

Description

Record details

References

Related records

Same affected vendor

Same weakness type (CWE)

Published the same year