CVE-2026-35627: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement
(updated )
Nostr inbound DM handling could perform crypto and dispatch work before sender and pairing policy enforcement, enabling unauthorized pre-auth computation.
References
- github.com/advisories/GHSA-65h8-27jh-q8wv
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77
- github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
- github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv
- nvd.nist.gov/vuln/detail/CVE-2026-35627
- www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling
Code Behaviors & Features
Detect and mitigate CVE-2026-35627 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →