What is CVE-2026-35650?

A vulnerability in OpenClaw where prompt-injected model outputs can rewrite sandbox policies, plugin permissions, routing hooks, and filesystem protections by writing to trusted configuration paths.

How does CVE-2026-35650 work?

An AI model receiving prompt-injected instructions with access to the owner-only gateway tool can persistently alter critical security settings including sandbox policies and SSRF protections.

What version of OpenClaw fixes CVE-2026-35650?

The vulnerability was fixed in OpenClaw version 2026.4.20, released shortly after disclosure on April 27, 2026.

What settings can be modified through CVE-2026-35650?

Sandbox policies, plugin enablements, Server-Side Request Forgery (SSRF) policies, filesystem hardening rules, MCP server settings, and routing hooks.

Is CVE-2026-35650 related to the Claw Chain vulnerabilities?

No, CVE-2026-35650 was disclosed separately on April 27, 2026. The Claw Chain (CVE-2026-44112 through 44118) was disclosed by Cyera in May 2026 and involves different attack vectors.

← Back to dashboard

clawsmith.com/signal/cve-2026-35650-prompt-injection-sandbox-policy-bypass

⚠ IssueUnknownVulnerabilityLive

CVE-2026-35650: Prompt Injection Rewrites OpenClaw Sandbox Policies, Plugin Permissions, and Routing Hooks

Model outputs with crafted prompt-injection payloads can override operator safeguards by writing to trusted configuration paths. Sandbox policies, plugin permissions, routing hooks, MCP server settings, and filesystem protections are all reachable through the bug. Configuration patching did not adequately cover several sensitive operator-trusted settings. Fixed in v2026.4.20.

Product Idea from this Signal

A policy enforcement daemon that blocks prompt-injection config rewrites on self-hosted OpenClaw agents running on NVIDIA RTX hardware

435 ▲

OpenClaw agents running on local hardware like NVIDIA RTX Spark and DGX are still vulnerable to prompt-injection attacks that rewrite sandbox policies, plugin permissions, and routing hooks (CVE-2026-35650). Existing solutions are either cloud-only (E2B, Microsoft MXC) or require enterprise Kubernetes stacks (NemoClaw, ClawArmor). Self-hosters on consumer NVIDIA hardware have no lightweight way to enforce immutable security policies. This daemon sits between the LLM and the agent gateway as a sidecar process, validating every config mutation against a locked policy file and rejecting anything that touches sandbox rules, SSRF protections, or filesystem hardening without explicit operator approval.

SECURITYLOCAL-AINVIDIAOPEN-SOURCEDEVTOOLSIDECAR

CompetitiveView Opportunity →