Executive Summary

This vulnerability exists in OpenClaw versions before 2026.3.23 and involves insufficient access control in the Gateway agent's /reset endpoint.

Specifically, users with operator.write permission can reset admin sessions by invoking the /reset or /new endpoints with an explicit sessionKey, bypassing the need for operator.admin privileges.

This means that attackers who have operator.write access can reset arbitrary sessions, potentially disrupting or taking over admin sessions.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers with operator.write privileges to reset admin sessions without proper authorization.

This can lead to unauthorized session resets, potentially causing denial of service to administrators or enabling attackers to hijack or disrupt administrative control.

The impact includes loss of administrative control, disruption of normal operations, and increased risk of further exploitation.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-35660 involves an insufficient access control vulnerability that allows users with operator.write permissions to reset administrator sessions, bypassing intended operator.admin restrictions. This unauthorized session reset capability poses a high-severity security risk by potentially enabling privilege escalation or unauthorized access to administrative functions.

Such a vulnerability can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data and administrative privileges. Unauthorized session resets could lead to unauthorized access or disruption of administrative controls, thereby increasing the risk of data breaches or operational disruptions that these regulations aim to prevent.

Therefore, until patched, this vulnerability could undermine an organization's ability to maintain compliance with these standards by failing to enforce proper authorization controls on critical administrative operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized use of the Gateway agent's /reset or /new endpoints by users with operator.write permissions to reset admin sessions. Detection can focus on monitoring network traffic or logs for calls to these endpoints that include explicit sessionKey parameters initiated by operator.write scoped users.

Suggested detection methods include:

• Inspect logs or network traffic for HTTP or RPC requests to the /reset or /new endpoints containing sessionKey parameters.
• Identify if these requests originate from users or clients with operator.write permissions rather than operator.admin.
• Use commands or scripts to query logs for suspicious reset attempts, for example, using grep or similar tools to find '/reset' or '/new' calls with sessionKey in gateway logs.
• Example command to search logs: grep -E '/reset|/new' /var/log/openclaw/gateway.log | grep sessionKey
• Monitor for error messages indicating missing operator.admin scope when reset attempts are rejected, which may appear in logs after patching.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.23 or later, where the vulnerability has been fixed by enforcing that only clients with operator.admin privileges can invoke /reset or /new commands to reset sessions.

Additional immediate steps include:

• Restrict or audit operator.write permissions to ensure only trusted users have this level of access.
• Monitor and block unauthorized attempts to call /reset or /new endpoints with explicit sessionKey parameters.
• Apply the patch or update from the GitHub Security Advisory GHSA-wq58-2pvg-5h4f or the commit 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0.
• Implement additional logging and alerting on session reset attempts to detect potential exploitation.

Useful 0 Not Useful 0