CVE-2026-35660
Insufficient Access Control in OpenClaw Gateway Allows Session Reset
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.23 and involves insufficient access control in the Gateway agent's /reset endpoint.
Specifically, users with operator.write permission can reset admin sessions by invoking the /reset or /new endpoints with an explicit sessionKey, bypassing the need for operator.admin privileges.
This means that attackers who have operator.write access can reset arbitrary sessions, potentially disrupting or taking over admin sessions.
How can this vulnerability impact me? :
The vulnerability allows attackers with operator.write privileges to reset admin sessions without proper authorization.
This can lead to unauthorized session resets, potentially causing denial of service to administrators or enabling attackers to hijack or disrupt administrative control.
The impact includes loss of administrative control, disruption of normal operations, and increased risk of further exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35660 involves an insufficient access control vulnerability that allows users with operator.write permissions to reset administrator sessions, bypassing intended operator.admin restrictions. This unauthorized session reset capability poses a high-severity security risk by potentially enabling privilege escalation or unauthorized access to administrative functions.
Such a vulnerability can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data and administrative privileges. Unauthorized session resets could lead to unauthorized access or disruption of administrative controls, thereby increasing the risk of data breaches or operational disruptions that these regulations aim to prevent.
Therefore, until patched, this vulnerability could undermine an organization's ability to maintain compliance with these standards by failing to enforce proper authorization controls on critical administrative operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized use of the Gateway agent's /reset or /new endpoints by users with operator.write permissions to reset admin sessions. Detection can focus on monitoring network traffic or logs for calls to these endpoints that include explicit sessionKey parameters initiated by operator.write scoped users.
Suggested detection methods include:
- Inspect logs or network traffic for HTTP or RPC requests to the /reset or /new endpoints containing sessionKey parameters.
- Identify if these requests originate from users or clients with operator.write permissions rather than operator.admin.
- Use commands or scripts to query logs for suspicious reset attempts, for example, using grep or similar tools to find '/reset' or '/new' calls with sessionKey in gateway logs.
- Example command to search logs: grep -E '/reset|/new' /var/log/openclaw/gateway.log | grep sessionKey
- Monitor for error messages indicating missing operator.admin scope when reset attempts are rejected, which may appear in logs after patching.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.23 or later, where the vulnerability has been fixed by enforcing that only clients with operator.admin privileges can invoke /reset or /new commands to reset sessions.
Additional immediate steps include:
- Restrict or audit operator.write permissions to ensure only trusted users have this level of access.
- Monitor and block unauthorized attempts to call /reset or /new endpoints with explicit sessionKey parameters.
- Apply the patch or update from the GitHub Security Advisory GHSA-wq58-2pvg-5h4f or the commit 50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0.
- Implement additional logging and alerting on session reset attempts to detect potential exploitation.