Description
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via /sessions/:sessionKey/history
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows remote actors to retrieve session history data without possessing the operator.read permission. By sending crafted HTTP requests to the /sessions/:sessionKey/history endpoint, an attacker can bypass the intended scope check and access potentially sensitive information from users’ sessions. This flaw gives an attacker unauthorized read access to data that should be protected by application‑level authorization controls.

Affected Systems

OpenClaw deployments running any version older than 2026.3.25 are affected. The issue exists in the core application code prior to the 2026.3.25 release, regardless of the underlying operating system or host environment.

Risk and Exploitability

The flaw carries a CVSS score of 7.1, indicating a medium‑to‑high severity. No EPSS value is available and the vulnerability is not listed in the CISA KEV catalog, but it can be exploited over the network by sending unauthenticated or improperly scoped HTTP requests. The required conditions are minimal: access to the vulnerable endpoint and knowledge of a valid sessionKey. An attacker who can perform the request can read session history data without additional privileges.

Generated by OpenCVE AI on April 10, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.25 or later.
  • If an upgrade is not immediately possible, block or filter requests to the /sessions/:sessionKey/history endpoint until the patch is applied, ensuring that only properly scoped requests can reach it.
  • Maintain monitoring of access logs for unexpected or unauthorized calls to the session history route.

Generated by OpenCVE AI on April 10, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5jvj-hxmh-6h6j OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint.
Title OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-14T14:28:51.873Z

Reserved: 2026-04-04T12:31:57.498Z

Link: CVE-2026-35657

cve-icon Vulnrichment

Updated: 2026-04-14T14:28:47.822Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:06.913

Modified: 2026-04-13T21:08:02.290

Link: CVE-2026-35657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:47Z

Weaknesses