Description
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.
Published: 2026-04-10
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Session Reset / Denial of Service
Action: Immediate Patch
AI Analysis

Impact

OpenClaw before 2026.3.23 has an insufficient access control flaw in the Gateway agent /reset endpoint that permits callers who hold operator.write permissions to reset admin sessions. This capability undermines the integrity of privileged sessions and can lead to denial of service for administrators or unauthorized manipulation of session state, compromising the availability and trust of the system.

Affected Systems

The affected product is OpenClaw with all releases prior to 2026.3.23. No additional vendors or product versions are mentioned in the advisory.

Risk and Exploitability

The CVSS score of 7.2 signals a high severity risk, while the EPSS score is unavailable and the vulnerability is not listed in the KEV catalog, indicating limited known exploitation. Attackers must first obtain operator.write privileges; once achieved, they may use the /reset or /new endpoints with an explicit sessionKey to bypass the required operator.admin role and reset any session. The likely attack vector is through the authenticated /reset API endpoint, requiring user authentication and appropriate role elevation.

Generated by OpenCVE AI on April 10, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.23 or later to apply the access control fix.
  • If an immediate upgrade is not possible, restrict operator.write permissions to trusted users and monitor activity on the /reset and /new endpoints.
  • Review system logs for suspicious session reset actions and enforce clear separation between operator.write and operator.admin roles.

Generated by OpenCVE AI on April 10, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wq58-2pvg-5h4f OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers
History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.
Title OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T17:41:32.978Z

Reserved: 2026-04-04T12:31:57.498Z

Link: CVE-2026-35660

cve-icon Vulnrichment

Updated: 2026-04-13T17:41:15.401Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:07.493

Modified: 2026-04-13T20:32:00.390

Link: CVE-2026-35660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:43Z

Weaknesses