Description
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session reset logic. Attackers with operator.write scope can issue agent requests containing /new or /reset slash commands to reset targeted conversation state without holding operator.admin privileges.
Published: 2026-03-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Administrative Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.3.11 contain an authorization bypass that permits callers with operator.write scope to trigger admin‑only session reset logic through agent slash commands. By issuing /new or /reset commands, an attacker can reset targeted conversation state without possessing operator.admin privileges. This flaw allows uncontrolled disruption of session data, potentially affecting continuity and integrity of user interactions, but does not provide arbitrary code execution or direct data exfiltration.

Affected Systems

The vulnerability affects the OpenClaw platform, specifically all releases before version 2026.3.11. Clients running any version earlier than 2026.3.11, regardless of node.js environment, are susceptible.

Risk and Exploitability

The CVSS score of 6.9 classifies this flaw as medium severity. No EPSS score is available, and it is not listed in the CISA KEV catalog, suggesting limited known exploitation. Attackers require access to operator.write privileges, which may be granted to agents or services, and can exploit the flaw by sending a slash command request; thus the attack vector is remote via authenticated API calls. Patching mitigates the risk entirely.

Generated by OpenCVE AI on March 29, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.11 or newer.
  • Restrict or remove operator.write scope from agents that do not require session reset capabilities to reduce attack surface.

Generated by OpenCVE AI on March 29, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 29 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session reset logic. Attackers with operator.write scope can issue agent requests containing /new or /reset slash commands to reset targeted conversation state without holding operator.admin privileges.
Title OpenClaw < 2026.3.11 - Unauthorized Session Reset via agent Slash Commands
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-29T12:44:22.118Z

Reserved: 2026-03-16T21:19:31.965Z

Link: CVE-2026-32919

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-29T13:17:00.380

Modified: 2026-03-29T13:17:00.380

Link: CVE-2026-32919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:31:34Z

Weaknesses