CVE-2026-32919
Authorization Bypass in OpenClaw Allows Unauthorized Session Reset
Publication date: 2026-03-29
Last updated on: 2026-03-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-32919 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-32919 is an authorization bypass vulnerability in OpenClaw versions before 2026.3.11. It allows attackers who have the operator.write scopeβbut not operator.admin privilegesβto execute admin-only session reset commands. Specifically, these attackers can send agent requests containing the "/new" or "/reset" slash commands to reset the state of targeted conversations. This happens because the authorization checks were only applied at the outer RPC method level, but the internal agent slash-command paths reused admin-only reset logic, enabling write-scoped users to bypass proper authorization and perform session resets without admin rights.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with limited write permissions to reset conversation sessions that should only be resettable by administrators. This unauthorized session reset can disrupt ongoing conversations or workflows, potentially causing loss of session state or data integrity issues. The vulnerability has a moderate severity with a CVSS score of 6.1, indicating a significant impact on availability and integrity, though it does not affect confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized use of the /new or /reset agent slash commands by users with operator.write scope to reset conversation sessions without admin privileges.
To detect exploitation attempts on your network or system, monitor agent requests for usage of the /new or /reset commands issued by users who only have operator.write privileges but not operator.admin privileges.
You can use network or application logs to identify such requests. For example, searching logs for agent requests containing the paths '/new' or '/reset' from non-admin users may indicate attempts to exploit this vulnerability.
Specific commands depend on your logging and monitoring setup, but example commands might include:
- Using grep on log files: grep -E '/new|/reset' /path/to/openclaw/logs/*
- Filtering logs for operator.write scoped users issuing these commands to detect unauthorized session resets.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.11 or later, where the vulnerability has been fixed.
This update removes the routing of the /new and /reset commands through the admin-only sessions.reset entry point, preventing write-scoped users from bypassing authorization.
Until the upgrade can be applied, consider restricting or monitoring operator.write scoped users' ability to issue /new or /reset commands to prevent unauthorized session resets.