CVE-2026-35645
Privilege Escalation in OpenClaw Gateway Plugin Session Deletion
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.25 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-648 | The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.25 and involves a privilege escalation issue within the gateway plugin subagent's fallback deleteSession function.
The problem arises because this function uses a synthetic operator.admin runtime scope, which means it can perform actions with administrative privileges.
Attackers can exploit this vulnerability by triggering session deletion without a request-scoped client, allowing them to execute privileged operations with unintended administrative scope.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited privileges to escalate their privileges to administrative level within the OpenClaw system.
As a result, the attacker could perform unauthorized privileged operations, potentially compromising the security and integrity of the affected system.